An update for python-wheel is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1279 Final 1.0 1.0 2026-02-06 Initial 2026-02-06 2026-02-06 openEuler SA Tool V1.0 2026-02-06 python-wheel security update An update for python-wheel is now available for openEuler-24.03-LTS A built-package format for Python. A wheel is a ZIP-format archive with a specially formatted filename and the .whl extension. It is designed to contain all the files for a PEP 376 compatible install in a way that is very close to the on-disk format. Security Fix(es): wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.(CVE-2026-24049) An update for python-wheel is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-wheel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1279 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-24049 https://nvd.nist.gov/vuln/detail/CVE-2026-24049 openEuler-24.03-LTS python-wheel-wheel-0.40.0-2.oe2403.noarch.rpm python3-wheel-0.40.0-2.oe2403.noarch.rpm python-wheel-0.40.0-2.oe2403.src.rpm wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. 2026-02-06 CVE-2026-24049 openEuler-24.03-LTS High 7.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H python-wheel security update 2026-02-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1279