Overview

File CVE-2026-2297-SourcelessFileLoader-io_open_code.patch of Package python311

From f2f8c864616950bd1d47c3171b8c1cc13e789eb0 Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Wed, 4 Mar 2026 19:55:52 +0000
Subject: [PATCH 1/2] gh-145506: Fixes CVE-2026-2297 by ensuring
 SourcelessFileLoader uses io.open_code (GH-145507) (cherry picked from commit
 a51b1b512de1d56b3714b65628a2eae2b07e535e)

Co-authored-by: Steve Dower <steve.dower@python.org>
---
 Lib/importlib/_bootstrap_external.py                            | 2 +-
 .../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst     | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst

diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
index e53f6acf38fc64..588da3c7ad1517 100644
--- a/Lib/importlib/_bootstrap_external.py
+++ b/Lib/importlib/_bootstrap_external.py
@@ -1126,7 +1126,7 @@ def get_filename(self, fullname):
 
     def get_data(self, path):
         """Return the data from path as raw bytes."""
-        if isinstance(self, (SourceLoader, ExtensionFileLoader)):
+        if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)):
             with _io.open_code(str(path)) as file:
                 return file.read()
         else:
diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
new file mode 100644
index 00000000000000..dcdb44d4fae4e5
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
@@ -0,0 +1,2 @@
+Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses
+:func:`io.open_code` when opening ``.pyc`` files.

From 8754167e89691c33f840a55b69217617cd70dccf Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Wed, 4 Mar 2026 19:59:52 +0000
Subject: [PATCH 2/2] Fix docs reference

---
 .../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
index dcdb44d4fae4e5..edeb9e640c2732 100644
--- a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
+++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
@@ -1,2 +1,2 @@
-Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses
+Fixes CVE-2026-2297 by ensuring that ``SourcelessFileLoader`` uses
 :func:`io.open_code` when opening ``.pyc`` files.
openSUSE Build Service is sponsored by
Places