Skip to content

[3.14] gh-151544: Fixes CVE-2026-12003 by removing the fallback to %VPATH%/Modules/Setup.local for discovering sources in getpath.py (GH-151545)#151565

Open
miss-islington wants to merge 4 commits into
python:3.14from
miss-islington:backport-9e863fa-3.14
Open

[3.14] gh-151544: Fixes CVE-2026-12003 by removing the fallback to %VPATH%/Modules/Setup.local for discovering sources in getpath.py (GH-151545)#151565
miss-islington wants to merge 4 commits into
python:3.14from
miss-islington:backport-9e863fa-3.14

Conversation

@miss-islington

@miss-islington miss-islington commented Jun 16, 2026
edited by bedevere-app Bot
Loading

Copy link
Copy Markdown
Contributor

@zooba @miss-islington
pythongh-151544: Fixes CVE-2026-12003 by removing the fallback to %VP…
4d228c4 
…ATH%/Modules/Setup.local for discovering sources in getpath.py (pythonGH-151545)

(cherry picked from commit 9e863fa)

Co-authored-by: Steve Dower <steve.dower@python.org>
This was referenced Jun 16, 2026
Open
Merged
@zooba

zooba commented Jun 17, 2026

Copy link
Copy Markdown
Member

I'm looking into the WASI failure. Best hint so far (thanks Brett!) is that the --argv0 option was added to the 3.15 build but isn't in earlier versions. That seems likely, as it would affect the real_executable calculation in getpath.py that is eventually used to look for pybuilddir.txt. However, that same calculation should've affected it before, unless VPATH is an absolute path (next thing for me to check, after dinner).

@zooba zooba requested a review from brettcannon as a code owner June 17, 2026 18:36
zooba
zooba reviewed Jun 17, 2026
View reviewed changes
Comment thread Tools/wasm/wasi/__main__.py
Comment on lines +371 to +374
pybuilddir_txt = working_dir / "pybuilddir.txt"
if not pybuilddir_txt.exists():
os.symlink(CHECKOUT / "pybuilddir.txt", pybuilddir_txt)
log("📝", f"Symlinked {pybuilddir_txt} to normal location")

@zooba zooba Jun 17, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@savannahostrowski @brettcannon Without the ../../Modules/Setup.local fallback (the security risk I'm fixing here) and without the --argv0 argument to fix up the path (not available in this version of wasmtime), this seems to be the best way to help it find pybuilddir.txt. Any thoughts/comments?

@zooba zooba mentioned this pull request Jun 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zooba zooba zooba left review comments

@FFY00 FFY00 Awaiting requested review from FFY00 FFY00 is a code owner

@erlend-aasland erlend-aasland Awaiting requested review from erlend-aasland erlend-aasland is a code owner

@brettcannon brettcannon Awaiting requested review from brettcannon brettcannon is a code owner

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@miss-islington @zooba