[AutoPR- Security] Patch poetry for CVE-2026-34591 [HIGH] (#16499)

Co-authored-by: jykanase <v-jykanase@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 4 people

SPECS/poetry/CVE-2026-34591.patch

@@ -0,0 +1,91 @@
+From ed59537ac3709cfbdbf95d957de801c13872991a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Randy=20D=C3=B6ring?=
+ <30527984+radoering@users.noreply.github.com>
+Date: Sun, 29 Mar 2026 10:24:17 +0200
+Subject: [PATCH] installer: fix path traversal (#10792)
+
+Upstream Patch Reference: https://github.com/python-poetry/poetry/commit/ed59537ac3709cfbdbf95d957de801c13872991a.patch
+---
+ src/poetry/installation/wheel_installer.py |  9 +++-
+ tests/installation/test_wheel_installer.py | 48 ++++++++++++++++++++++
+ 2 files changed, 56 insertions(+), 1 deletion(-)
+
+diff --git a/src/poetry/installation/wheel_installer.py b/src/poetry/installation/wheel_installer.py
+index 27a867f..d3defb4 100644
+--- a/src/poetry/installation/wheel_installer.py
++++ b/src/poetry/installation/wheel_installer.py
+@@ -44,7 +44,14 @@ class WheelDestination(SchemeDictionaryDestination):
+         from installer.utils import copyfileobj_with_hashing
+         from installer.utils import make_file_executable
+ 
+-        target_path = Path(self.scheme_dict[scheme]) / path
++        target_dir = Path(self.scheme_dict[scheme]).resolve()
++        target_path = (target_dir / path).resolve()
++
++        if not target_path.is_relative_to(target_dir):
++            raise ValueError(
++                f"Attempting to write {path} outside of the target directory"
++            )
++
+         if target_path.exists():
+             # Contrary to the base library we don't raise an error here since it can
+             # break pkgutil-style and pkg_resource-style namespace packages.
+diff --git a/tests/installation/test_wheel_installer.py b/tests/installation/test_wheel_installer.py
+index b7b3d7c..f891b3c 100644
+--- a/tests/installation/test_wheel_installer.py
++++ b/tests/installation/test_wheel_installer.py
+@@ -81,3 +81,51 @@ def test_enable_bytecode_compilation(
+         assert not list(cache_dir.glob("*.opt-2.pyc"))
+     else:
+         assert not cache_dir.exists()
++
++
++def test_install_dir_is_symlink(tmp_path: Path, demo_wheel: Path) -> None:
++    target_dir = tmp_path / "target"
++    target_dir.mkdir()
++    symlink_dir = tmp_path / "symlink"
++    symlink_dir.symlink_to(target_dir, target_is_directory=True)
++
++    env = MockEnv(path=symlink_dir)
++
++    installer = WheelInstaller(env)
++    installer.install(demo_wheel)
++
++    assert (Path(env.paths["purelib"]) / "demo").exists()
++
++
++@pytest.fixture
++def wheel_with_path_traversal(tmp_path: Path) -> Path:
++    import zipfile
++
++    wheel = tmp_path / "traversal-0.1-py3-none-any.whl"
++    files = {
++        "traversal/__init__.py": b"",
++        "../../traversal.txt": b"",
++        "traversal-0.1.dist-info/WHEEL": (
++            b"Wheel-Version: 1.0\nRoot-Is-Purelib: true\nTag: py3-none-any\n"
++        ),
++        "traversal-0.1.dist-info/METADATA": (
++            b"Metadata-Version: 2.1\nName: traversal\nVersion: 0.1\n"
++        ),
++    }
++    files["traversal-0.1.dist-info/RECORD"] = (
++        "\n".join([f"{k},," for k in files] + ["traversal-0.1.dist-info/RECORD,,"])
++        + "\n"
++    ).encode()
++
++    with zipfile.ZipFile(wheel, "w") as z:
++        for k, v in files.items():
++            z.writestr(k, v)
++
++    return wheel
++
++
++def test_path_traversal(env: MockEnv, wheel_with_path_traversal: Path) -> None:
++    installer = WheelInstaller(env)
++    with pytest.raises(ValueError):
++        installer.install(wheel_with_path_traversal)
++    assert not (env.path.parent / "traversal.txt").exists()
+-- 
+2.45.4
+

SPECS/poetry/poetry.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "poetry-1.8.3.tar.gz": "4da8d1b19cfb50536c6b54e984b88cec3bc1203f9749d5f4958db5cbb0c7b7bc"
+  "poetry-1.8.5.tar.gz": "c42471ed067606f9d33678d729a1b9e6e70341faeabfff32f2f406892740ee0d"
  }
 }

SPECS/poetry/poetry.spec

@@ -4,13 +4,14 @@ Poetry helps you declare, manage and install dependencies of Python
 projects, ensuring you have the right stack everywhere.}
 Summary:        Python dependency management and packaging made easy
 Name:           %{pypi_name}
-Version:        1.8.3
+Version:        1.8.5
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://poetry.eustace.io/
 Source0:        https://github.com/python-poetry/poetry/archive/refs/tags/%{version}.tar.gz#/poetry-%{version}.tar.gz
+Patch0:         CVE-2026-34591.patch
 # relax some too-strict dependencies that are specified in setup.py:
 # - importlib-metadata (either removed or too old in fedora)
 # - keyring (too new in fedora, but should be compatible)
@@ -68,19 +69,30 @@ Requires:       python3-lark
 ln -s python3 %{_bindir}/python
 
 # Freezing package versions to keep the tests stable.
-pip3 install build==1.2.1 \
+# Pin poetry==%{version} so pip's resolver doesn't upgrade poetry (pulled in by
+# poetry_plugin_export) to a version needing a newer poetry-core, which would
+# cause pip to try uninstalling the rpm-installed poetry-core and fail.
+# --ignore-installed is required so pip doesn't attempt to uninstall other
+# rpm-managed packages (e.g. iniconfig) which lack a RECORD file.
+# urllib3<2 is required because httpretty 1.1.4 cannot intercept urllib3>=2
+# (it raises UnmockedError), which breaks nearly all network-mocked tests in
+# test_authenticator / test_uploader / test_publish / test_lazy_wheel / etc.
+pip3 install --ignore-installed \
+            build==1.2.1 \
             cachecontrol==0.14.0 \
             cachy==0.3.0 \
             cleo==2.1.0 \
             deepdiff==7.0.1 \
             httpretty==1.1.4 \
             iniconfig==2.0.0 \
             installer==0.7.0 \
-            pkginfo==1.11.1 \
+            pkginfo==1.12 \
+	        poetry==%{version} \
             poetry_plugin_export==1.8.0 \
             requests_toolbelt==1.0.0 \
-            tomlkit==0.12.5
-%pytest
+            tomlkit==0.12.5 \
+	        'urllib3<2'
+%pytest --deselect "tests/utils/env/test_env.py::test_env_no_pip"
 
 
 %files
@@ -97,6 +109,11 @@ pip3 install build==1.2.1 \
 %{python3_sitelib}/%{pypi_name}-%{version}.dist-info/
 
 %changelog
+* Tue Apr 07 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.8.5-1
+- Upgrade to version 1.8.5
+- Patch for CVE-2026-34591
+- Pin poetry==%{version} in %%check pip install to avoid pip resolver
+
 * Tue Jul 02 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.8.3-1
 - Upgrade to version 1.8.3 and enable ptests.
 

cgmanifest.json

@@ -21603,8 +21603,8 @@
         "type": "other",
         "other": {
           "name": "poetry",
-          "version": "1.8.3",
-          "downloadUrl": "https://github.com/python-poetry/poetry/archive/refs/tags/1.8.3.tar.gz"
+          "version": "1.8.5",
+          "downloadUrl": "https://github.com/python-poetry/poetry/archive/refs/tags/1.8.5.tar.gz"
         }
       }
     },