Skip to content

RHOAIENG-64109: Upgrade pip to 26.1.2 to fix CVE-2026-8643#921

Closed
jira-autofix[bot] wants to merge 3 commits into
mainfrom
autofix/rhoaieng-64109
Closed

RHOAIENG-64109: Upgrade pip to 26.1.2 to fix CVE-2026-8643#921
jira-autofix[bot] wants to merge 3 commits into
mainfrom
autofix/rhoaieng-64109

Conversation

@jira-autofix

@jira-autofix jira-autofix Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Upgrades pip from base image version to exactly 26.1.2 in the py311-rocm62-torch241 training image Dockerfile to fix CVE-2026-8643 (path traversal via malicious entry point name in pip wheel installation)
  • Uses exact version pin (==26.1.2) for deterministic builds per reviewer feedback
  • Upgrade is placed before any pip usage in the Dockerfile to ensure all subsequent operations use the patched version

CVE Details

  • CVE: CVE-2026-8643
  • Severity: Medium (CVSS 8.0)
  • Component: pip wheel installation (distlib scripts)
  • Fix: pip 26.1.2+ validates console_scripts/gui_scripts entry point names to prevent path traversal

Test Plan

  • Container image builds successfully
  • pip version is 26.1.2 in the built image
  • Existing training workflows function correctly with upgraded pip

Summary by CodeRabbit

  • Bug Fixes
    • Upgraded the package manager in the training environment to address security vulnerabilities and improve wheel installation integrity.

Upgrade pip to ~=26.1.2 in the odh-training-rocm62-torch24-py311
Dockerfile to remediate CVE-2026-8643, a path traversal vulnerability
in wheel installation that allows arbitrary file overwrite via malicious
entry point names. The upgrade is placed before the first pip usage to
ensure all subsequent operations use the patched version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kryanbeane for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot requested review from chipspeak and pawelpaszki June 11, 2026 13:23
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 85d099b8-013f-4399-ace2-ed75af4ad3b4

📥 Commits

Reviewing files that changed from the base of the PR and between e004b2d and 94833f0.

📒 Files selected for processing (1)
  • images/runtime/training/py311-rocm62-torch241/Dockerfile

📝 Walkthrough

Walkthrough

Dockerfile modified to inject a RUN step that upgrades pip to 26.1.2 using pip install --no-cache-dir --upgrade pip==26.1.2, annotated as a fix for CVE-2026-8643 (CWE-22 path traversal during wheel installation). The upgrade is applied early in the build stage before subsequent ROCm/Python package installation steps.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
No Privileged Containers ⚠️ Warning Dockerfile runs as root (USER 0, line 19) without documented justification, performing privileged operations including system package installation and pip upgrades until line 104. Add justification comment explaining why root privilege is required, or refactor to minimize privileged operation scope.
✅ Passed checks (9 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly references the ticket (RHOAIENG-64109), the specific security action (upgrade pip to 26.1.2), and the CVE being addressed (CVE-2026-8643). It accurately describes the primary change in the changeset.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Contribution Quality And Spam Detection ✅ Passed CVE-2026-8643 (CWE-22 path traversal in pip's wheel installation via entry points) is real and verified; this container installs external packages from PyPI/GitHub, making the fix legitimate supply...
No Hardcoded Secrets ✅ Passed Dockerfile contains no hardcoded secrets, API keys, tokens, passwords, embedded credentials in URLs, or suspicious base64 strings. All configuration is legitimate.
No Weak Cryptography ✅ Passed PR only adds pip/requests package upgrades to fix CVE-2026-8643 (path traversal). No weak cryptography, custom crypto implementations, or insecure comparisons introduced.
No Injection Vectors ✅ Passed The pip upgrade command uses hardcoded version pin (==26.1.2) with no variables, user input, string interpolation, eval/exec, shell=True, or other injection patterns (CWE-89, CWE-78, CWE-94, CWE-50...
No Sensitive Data In Logs ✅ Passed PR introduces pip upgrade command with no logging statements or sensitive data exposure. Comment-only addition with standard pip flags; no credentials, tokens, PII, or verbose logging in the change...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/runtime/training/py311-rocm62-torch241/Dockerfile`:
- Around line 22-24: The Dockerfile currently upgrades pip with a non-pinned
spec using the RUN pip install --no-cache-dir --upgrade pip~=26.1.2 instruction;
change this to pin pip exactly to the fixed version by replacing that line with
RUN pip install --no-cache-dir --upgrade pip==26.1.2 so builds are deterministic
and ensure this RUN appears before any package installation steps in the same
Dockerfile.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 72b4a4ac-9d59-4143-aaf7-2ab816c9e554

📥 Commits

Reviewing files that changed from the base of the PR and between 8683d89 and e004b2d.

📒 Files selected for processing (1)
  • images/runtime/training/py311-rocm62-torch241/Dockerfile

Comment thread images/runtime/training/py311-rocm62-torch241/Dockerfile
aipcc-bot and others added 2 commits June 11, 2026 16:00
Change pip version constraint from ~=26.1.2 (compatible release) to
==26.1.2 (exact pin) per review feedback, ensuring deterministic builds.
@sutaakar sutaakar closed this Jun 29, 2026
@sutaakar sutaakar deleted the autofix/rhoaieng-64109 branch June 29, 2026 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants