python-3.14: cherry-pick fix for critical CVE-2026-6100 (#72445)

- **CVE-2026-6100** (Critical, CVSS 9.1) — Use-after-free in `lzma.LZMADecompressor`,
    `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a decompressor instance is re-used
    after MemoryError. Cherry-pick of commit `6a5f79c8` from the 3.14 branch.
    - GHSA: GHSA-pg25-7cx5-cvcm
    - Upstream: python/cpython#148480

- **CVE-2026-1502** (Medium) — CR/LF bytes not rejected in HTTP client proxy tunnel
    headers. Cherry-pick of commit `b1cf9016` from the 3.14 branch.
    - GHSA: GHSA-hjxq-7w9q-2jw6
    - Upstream: python/cpython#148342

- **CVE-2026-4786** (High) — Incomplete mitigation of CVE-2026-4519; `%action`
    substitution bypass of dash-prefix check in `webbrowser`. Cherry-pick of commit
    `d22922c8` from main (3.14 backport PR #148516 is open and mergeable; identical
    file changes verified).
    - GHSA: GHSA-cccx-m78h-m3xw
    - Upstream: python/cpython#148170

Signed-off-by: Brian Carey <brian.carey@chainguard.dev>

Export:  edefd2a320a9e3d0ed5d7eb99a5b6f5c35bcb7fc

Author: brianmcarey

python-3.14.yaml

@@ -1,7 +1,7 @@
 package:
   name: python-3.14
   version: "3.14.4"
-  epoch: 2
+  epoch: 3 # CVE-2026-6100, CVE-2026-1502, CVE-2026-4786
   description: "the Python programming language"
   copyright:
     - license: PSF-2.0
@@ -91,6 +91,10 @@ pipeline:
       expected-commit: 23116f998f6789d8c2fbe5ed5b8146854c8c2a4f
       repository: https://github.com/python/cpython.git
       tag: v${{package.version}}
+      cherry-picks: |
+        3.14/6a5f79c8d7bbf22b083b240910c7a8781a59437d: CVE-2026-6100 (gh-148395) UAF in LZMA/BZ2/Zlib decompressors
+        3.14/b1cf9016335cb637c5a425032e8274a224f4b2ed: CVE-2026-1502 (gh-146211) CR/LF injection in HTTP tunnel headers
+        main/d22922c8a7958353689dc4763dd72da2dea03fff: CVE-2026-4786 (gh-148169) webbrowser %action bypass
 
   - name: Force use of system libraries
     runs: |