From 90f9f74bd06b9586e35567e262eb3096fe05ee50 Mon Sep 17 00:00:00 2001
From: pkgagent <pkgagent@tencent.com>
Date: Wed, 4 Feb 2026 20:26:49 +0800
Subject: [PATCH] fix CVE-2026-24049

---
 .gitignore                               |  1 +
 python-wheel-0.41.2-CVE-2026-24049.patch | 63 ++++++++++++++++++++++++
 python-wheel.spec                        |  9 +++-
 3 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 .gitignore
 create mode 100644 python-wheel-0.41.2-CVE-2026-24049.patch

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bcb32f2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+wheel-0.41.2.tar.gz
diff --git a/python-wheel-0.41.2-CVE-2026-24049.patch b/python-wheel-0.41.2-CVE-2026-24049.patch
new file mode 100644
index 0000000..72a6e46
--- /dev/null
+++ b/python-wheel-0.41.2-CVE-2026-24049.patch
@@ -0,0 +1,63 @@
+diff --git a/docs/news.rst b/docs/news.rst
+index 9e5488a..1bac038 100644
+--- a/docs/news.rst
++++ b/docs/news.rst
+@@ -8,6 +8,8 @@ Release Notes
+ - Fixed ``wheel tags`` to not list directories in ``RECORD`` files
+   (PR by Mike Taves)
+ - Fixed ABI tag generation for GraalPy (PR by Michael Simacek)
++- Fixed ``wheel unpack`` potentially altering the permissions of files outside of the
++  destination tree with maliciously crafted wheels (CVE-2026-24049)
+ 
+ **0.41.1 (2023-08-05)**
+ 
+diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py
+index d48840e..83dc742 100644
+--- a/src/wheel/cli/unpack.py
++++ b/src/wheel/cli/unpack.py
+@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
+         destination = Path(dest) / namever
+         print(f"Unpacking to: {destination}...", end="", flush=True)
+         for zinfo in wf.filelist:
+-            wf.extract(zinfo, destination)
++            target_path = Path(wf.extract(zinfo, destination))
+ 
+             # Set permissions to the same values as they were set in the archive
+             # We have to do this manually due to
+             # https://github.com/python/cpython/issues/59999
+             permissions = zinfo.external_attr >> 16 & 0o777
+-            destination.joinpath(zinfo.filename).chmod(permissions)
++            target_path.chmod(permissions)
+ 
+     print("OK")
+diff --git a/tests/cli/test_unpack.py b/tests/cli/test_unpack.py
+index ae584af..b121ca2 100644
+--- a/tests/cli/test_unpack.py
++++ b/tests/cli/test_unpack.py
+@@ -34,3 +34,26 @@ def test_unpack_executable_bit(tmp_path):
+     unpack(str(wheel_path), str(tmp_path))
+     assert not script_path.is_dir()
+     assert stat.S_IMODE(script_path.stat().st_mode) == 0o755
++
++
++@pytest.mark.skipif(
++    platform.system() == "Windows", reason="Windows does not support chmod()"
++)
++def test_chmod_outside_unpack_tree(tmp_path_factory):
++    wheel_path = tmp_path_factory.mktemp("build") / "test-1.0-py3-none-any.whl"
++    with WheelFile(wheel_path, "w") as wf:
++        wf.writestr(
++            "test-1.0.dist-info/METADATA",
++            "Metadata-Version: 2.4\nName: test\nVersion: 1.0\n",
++        )
++        wf.writestr("../../system-file", b"malicious data")
++
++    extract_root_path = tmp_path_factory.mktemp("extract")
++    system_file = extract_root_path / "system-file"
++    extract_path = extract_root_path / "subdir"
++    system_file.write_bytes(b"important data")
++    system_file.chmod(0o755)
++    unpack(str(wheel_path), str(extract_path))
++
++    assert system_file.read_bytes() == b"important data"
++    assert stat.S_IMODE(system_file.stat().st_mode) == 0o755
diff --git a/python-wheel.spec b/python-wheel.spec
index cbd56d4..66d6ae9 100644
--- a/python-wheel.spec
+++ b/python-wheel.spec
@@ -19,11 +19,14 @@ It has two different roles:
 Summary:       Built-package format for Python
 Name:          python-%{srcname}
 Version:       0.41.2
-Release:       3%{?dist}
+Release:       4%{?dist}
 License:       MIT and (ASL 2.0 or BSD)
 URL:           https://github.com/pypa/wheel
 Source0:       https://files.pythonhosted.org/packages/source/w/%{srcname}/%{srcname}-%{version}.tar.gz
 
+# CVE-2026-24049: Fixed security issue around wheel unpack
+Patch0001:      python-wheel-0.41.2-CVE-2026-24049.patch
+
 BuildRequires: python%{python3_pkgversion}-devel
 BuildRequires: python%{python3_pkgversion}-setuptools python3-rpm-generators
 
@@ -91,6 +94,10 @@ rm -f setup.cfg
 %endif
 
 %changelog
+* Wed Feb 04 2026 cunshunxia <cunshunxia@tencent.com> - 0.41.2-4
+- [Type] security
+- [DESC] Fix CVE-2026-24049 vulnerability: Fixed security issue around wheel unpack where a maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered
+
 * Thu Sep 26 2024 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 0.41.2-3
 - Rebuilt for clarifying the packages requirement in BaseOS and AppStream
 
-- 
Gitee