Skip to content

[AutoPR- Security] Patch python-requests for CVE-2026-25645 [MEDIUM] #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
Draft

[AutoPR- Security] Patch python-requests for CVE-2026-25645 [MEDIUM] #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions SPECS/python-requests/CVE-2026-25645.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
From 7d89bfc6c07cb594bd31ab71f2de622694fe2e66 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Wed, 25 Mar 2026 08:57:56 -0600
Subject: [PATCH] Merge commit from fork

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7.patch
---
requests/utils.py | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/requests/utils.py b/requests/utils.py
index 502c7bc..e0fcdbc 100644
--- a/requests/utils.py
+++ b/requests/utils.py
@@ -282,12 +282,13 @@ def extract_zipped_paths(path):
return path

# we have a valid zip archive and a valid member of that archive
- tmp = tempfile.gettempdir()
- extracted_path = os.path.join(tmp, member.split("/")[-1])
- if not os.path.exists(extracted_path):
- # use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition
- with atomic_open(extracted_path) as file_handler:
- file_handler.write(zip_file.read(member))
+ suffix = os.path.splitext(member.split("/")[-1])[-1]
+ fd, extracted_path = tempfile.mkstemp(suffix=suffix)
+ try:
+ os.write(fd, zip_file.read(member))
+ finally:
+ os.close(fd)
+
return extracted_path


--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/python-requests/python-requests.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: Awesome Python HTTP Library That's Actually Usable
Name: python-requests
Version: 2.31.0
Release: 3%{?dist}
Release: 4%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -10,6 +10,7 @@ URL: http://python-requests.org
Source0: https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz
Patch0: CVE-2024-35195.patch
Patch1: CVE-2024-47081.patch
Patch2: CVE-2026-25645.patch
BuildArch: noarch

%description
Expand Down Expand Up @@ -73,6 +74,9 @@ LANG=en_US.UTF-8 tox -e py%{python3_version_nodots}
%{python3_sitelib}/*

%changelog
* Sun Mar 29 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.31.0-4
- Patch for CVE-2026-25645

* Tue Jun 17 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 2.31.0-3
- Add patch for CVE-2024-47081

Expand Down
Loading