[3.14] gh-151544: Fixes CVE-2026-12003 by removing the fallback to %VPATH%/Modules/Setup.local for discovering sources in getpath.py (GH-151545)#151565
Conversation
…ATH%/Modules/Setup.local for discovering sources in getpath.py (pythonGH-151545) (cherry picked from commit 9e863fa) Co-authored-by: Steve Dower <steve.dower@python.org>
|
I'm looking into the WASI failure. Best hint so far (thanks Brett!) is that the --argv0 option was added to the 3.15 build but isn't in earlier versions. That seems likely, as it would affect the |
| pybuilddir_txt = working_dir / "pybuilddir.txt" | ||
| if not pybuilddir_txt.exists(): | ||
| os.symlink(CHECKOUT / "pybuilddir.txt", pybuilddir_txt) | ||
| log("📝", f"Symlinked {pybuilddir_txt} to normal location") |
There was a problem hiding this comment.
@savannahostrowski @brettcannon Without the ../../Modules/Setup.local fallback (the security risk I'm fixing here) and without the --argv0 argument to fix up the path (not available in this version of wasmtime), this seems to be the best way to help it find pybuilddir.txt. Any thoughts/comments?
There was a problem hiding this comment.
not available in this version of wasmtime
The wasmtime version isn't locked, so you should be able to update it (might need CLI updates because there was a change to the format at some point).
There was a problem hiding this comment.
Making this change (#151682) works, but I have no idea what the added effects may be, e.g. how easily can someone doing builds of 3.14 figure out that they need to update their wasmtime after the --argv0 argument causes it to fail? Any other risks in backporting the version upgrade that wouldn't show up in CI?
There was a problem hiding this comment.
--argv0was added in wasmtime 24 (Aug 2024), which is the oldest version still receiving releases and predates CPython 3.14.0 (and 3.13.0)- Users of wasmtime should be updating for security fixes regularly
- wasmtime is typically very backwards-compatible
- People can update any build script by setting
--host-runnerfor their preferred command to run their preferred WASI host
So I say it's say to update the default host runner settings.
| pybuilddir_txt = working_dir / "pybuilddir.txt" | ||
| if not pybuilddir_txt.exists(): | ||
| os.symlink(CHECKOUT / "pybuilddir.txt", pybuilddir_txt) | ||
| log("📝", f"Symlinked {pybuilddir_txt} to normal location") |
There was a problem hiding this comment.
not available in this version of wasmtime
The wasmtime version isn't locked, so you should be able to update it (might need CLI updates because there was a change to the format at some point).
|
Going with the alternative backport on #151682 for this and 3.13 |
3 participants
(cherry picked from commit 9e863fa)
Co-authored-by: Steve Dower steve.dower@python.org