{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-wheel security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-wheel is now available for openEuler-24.03-LTS", "category":"general", "title":"Summary" }, { "text":"A built-package format for Python. A wheel is a ZIP-format archive with a specially formatted filename and the .whl extension. It is designed to contain all the files for a PEP 376 compatible install in a way that is very close to the on-disk format.\n\nSecurity Fix(es):\n\nwheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.(CVE-2026-24049)", "category":"general", "title":"Description" }, { "text":"An update for python-wheel is now available for openEuler-24.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"python-wheel", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-1279", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1279" }, { "summary":"CVE-2026-24049", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-24049&packageName=python-wheel" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24049" }, { "summary":"openEuler-SA-2026-1279 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-1279.json" } ], "title":"An update for python-wheel is now available for openEuler-24.03-LTS", "tracking":{ "initial_release_date":"2026-02-10T14:30:03+08:00", "revision_history":[ { "date":"2026-02-10T14:30:03+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-02-10T14:30:03+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-02-10T14:30:03+08:00", "id":"openEuler-SA-2026-1279", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python-wheel-wheel-0.40.0-2.oe2403.noarch.rpm", "name":"python-wheel-wheel-0.40.0-2.oe2403.noarch.rpm" }, "name":"python-wheel-wheel-0.40.0-2.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-wheel-0.40.0-2.oe2403.noarch.rpm", "name":"python3-wheel-0.40.0-2.oe2403.noarch.rpm" }, "name":"python3-wheel-0.40.0-2.oe2403.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python-wheel-0.40.0-2.oe2403.src.rpm", "name":"python-wheel-0.40.0-2.oe2403.src.rpm" }, "name":"python-wheel-0.40.0-2.oe2403.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python-wheel-wheel-0.40.0-2.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python-wheel-wheel-0.40.0-2.oe2403.noarch", "name":"python-wheel-wheel-0.40.0-2.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-wheel-0.40.0-2.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-wheel-0.40.0-2.oe2403.noarch", "name":"python3-wheel-0.40.0-2.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python-wheel-0.40.0-2.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python-wheel-0.40.0-2.oe2403.src", "name":"python-wheel-0.40.0-2.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-24049", "notes":[ { "text":"wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-wheel-wheel-0.40.0-2.oe2403.noarch", "openEuler-24.03-LTS:python3-wheel-0.40.0-2.oe2403.noarch", "openEuler-24.03-LTS:python-wheel-0.40.0-2.oe2403.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:python-wheel-wheel-0.40.0-2.oe2403.noarch", "openEuler-24.03-LTS:python3-wheel-0.40.0-2.oe2403.noarch", "openEuler-24.03-LTS:python-wheel-0.40.0-2.oe2403.src" ], "details":"python-wheel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1279" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.1, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:python-wheel-wheel-0.40.0-2.oe2403.noarch", "openEuler-24.03-LTS:python3-wheel-0.40.0-2.oe2403.noarch", "openEuler-24.03-LTS:python-wheel-0.40.0-2.oe2403.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-24049" } ] }