Skip to content

Releases: ActiveState/pip

24.0.0.1 — Python 3.7 CVE security patch

13 May 17:21
@icanhasmath icanhasmath
24.0.0.1
b483e95

Choose a tag to compare

View all tags
24.0.0.1 — Python 3.7 CVE security patch Pre-release
Pre-release

ActiveState security-patched build of pip 24.0 for customers still running Python 3.7.

Pip 24.0 (Feb 2024) is the last upstream release with requires-python = ">=3.7". Pip 24.1 bumped to 3.8 and 26.0 to 3.9, so neither line of upstream security fixes reaches 3.7 users via a routine upgrade. This release backports two path-traversal CVEs onto the 24.0 base.

Backported CVEs

CVE-2025-8869 — Path traversal via symlinks in tar fallback extraction

A malicious sdist could ship a symbolic-link tar member whose target points outside the install directory; pip's fallback (non-data_filter) extraction path followed that symlink during later file writes. Python ≥3.9.17/3.10.12/3.11.4/≥3.12 are protected by stdlib's PEP 706 tarfile.data_filter, but Python 3.7 has no PEP 706 backport, so the fallback path is the only path on 3.7 — these users were the most exposed.

Fix consolidates the upstream hardening series (pypa/pip #13550): a new is_symlink_target_in_tar helper validates that every symlink member's target resolves to another member of the same tar, and untar_file raises InstallationError otherwise. Commit 00878149f.

CVE-2026-1703 — Path traversal in is_within_directory

os.path.commonprefix performs a character-by-character (not component-wise) comparison, so /install/parent/child and /install/parent/childfoo were treated as sharing a common parent. A crafted wheel could exploit this to write files into a sibling directory whose name is a prefix of the install path.

Fix replaces commonprefix with os.path.commonpath (pypa/pip #13777), with a regression test for the prefix-vs-component case. Commit b483e95bb.

Versioning

The internal package version is deliberately unchanged at 24.0 — the wheel is named pip-24.0-py3-none-any.whl and pip --version will continue to report 24.0. The 24.0.0.1 identifier exists only as the git tag / GitHub release name to distinguish this ActiveState security build from the upstream 24.0 artifact. If you need to detect this build at runtime, check for is_symlink_target_in_tar in pip._internal.utils.unpacking.

Compatibility

  • Python: ≥3.7 (unchanged from upstream 24.0)
  • API: Identical to upstream 24.0. No behavior changes for legitimate inputs; malicious archives that previously slipped through is_within_directory or the symlink path now raise InstallationError.

Artifact checksums (SHA-256)

217523e1b33d343c5152c77a808bb7c6c2b63716b35ba955d02d015d96a19ebb  pip-24.0.tar.gz
d3af911af9cdef46cba0fdc853ded4f6fd57b6a1ca3c73093f3b98cbf20dbe19  pip-24.0-py3-none-any.whl

Branch

Python-3.7-compat — based on upstream tag 24.0 (ef78c129b) + the two CVE backport commits listed above.

Loading