- Notifications
You must be signed in to change notification settings - Fork0
Update dependency setuptools to v78 [SECURITY]#22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Open
renovate wants to merge1 commit intomainChoose a base branch
base:main
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
sourcery-aibot commentedMay 20, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Reviewer's GuideUpgrade setuptools in requirements.txt from ~=70.0.0 to ~=78.1.1 to resolve a path traversal vulnerability (CVE-2025-47273). Sequence Diagram:CVE-2025-47273 Path Traversal Vulnerability in setuptools < 78.1.1sequenceDiagram autonumber actor Attacker participant UserProcess as "User Process (using setuptools)" participant PackageIndex as "setuptools.PackageIndex._download_url (<78.1.1)" participant Utils as "Utility functions (e.g. egg_info_for_url)" participant OSPath as "os.path" participant Filesystem Attacker-->>UserProcess: Provides malicious URL (e.g., in package metadata or index) UserProcess->>+PackageIndex: Calls _download_url(malicious_url, "/intended/tmp/dir") PackageIndex->>+Utils: egg_info_for_url(malicious_url) Utils-->>-PackageIndex: Returns 'name' derived from URL (e.g., "../../../../etc/passwd" or "/etc/passwd") PackageIndex->>PackageIndex: Insufficient sanitization of 'name' PackageIndex->>+OSPath: join("/intended/tmp/dir", name) OSPath-->>-PackageIndex: filename (e.g., "/etc/passwd" or "/intended/tmp/dir/../../../../etc/passwd") Note right of OSPath: If 'name' is absolute, initial path is discarded. Note right of OSPath: '..' can lead to path traversal. PackageIndex->>+Filesystem: Writes downloaded content to 'filename' Filesystem-->>-PackageIndex: File written to unintended arbitrary location PackageIndex-->>-UserProcess: Operation completes, potentially compromising systemFile-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess yourdashboard to:
Getting Help
|
e1ca4e8 to7d9964fCompare7d9964f to9ee1d0cCompare66294af to41c990fCompare41c990f to24bc0abCompare24bc0ab to4a55c69Compare4a55c69 to55b7676Compare55b7676 tod8ed53cCompare0d608be to67f961cCompare8252ceb to1fd83b9Compare1fd83b9 tob3101beCompareb3101be toa7eff52Comparea7eff52 to4125da3Compare4125da3 to9ef7bebCompare9ef7beb to0873764Compare0873764 tocfae305CompareSign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
This PR contains the following updates:
~=70.0.0->~=78.1.1GitHub Vulnerability Alerts
CVE-2025-47273
Summary
A path traversal vulnerability in
PackageIndexwas fixed in setuptools version 78.1.1Details
Here:https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
os.path.join()discards the first argumenttmpdirif the second begins with a slash or drive letter.nameis derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.Risk Assessment
As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion likeGHSA-r9hx-vwmv-q579, and as described by POC 4 inGHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.
Impact
An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.
References
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/issues/4946
Release Notes
pypa/setuptools (setuptools)
v78.1.1Compare Source
v78.1.0Compare Source
v78.0.2Compare Source
v78.0.1Compare Source
v77.0.3Compare Source
v77.0.1Compare Source
v76.1.0Compare Source
v76.0.0Compare Source
v75.9.1Compare Source
v75.9.0Compare Source
v75.8.2Compare Source
v75.8.1Compare Source
v75.8.0Compare Source
v75.7.0Compare Source
v75.6.0Compare Source
v75.5.0Compare Source
v75.4.0Compare Source
v75.3.2Compare Source
v75.3.1Compare Source
v75.3.0Compare Source
v75.2.0Compare Source
v75.1.0Compare Source
v75.0.0Compare Source
v74.1.3Compare Source
v74.1.2Compare Source
v74.1.1Compare Source
v74.1.0Compare Source
v74.0.0Compare Source
v73.0.1Compare Source
v73.0.0Compare Source
v72.2.0Compare Source
v72.1.0Compare Source
v72.0.0Compare Source
v71.1.0Compare Source
v71.0.4Compare Source
v71.0.3Compare Source
v71.0.2Compare Source
v71.0.1Compare Source
v71.0.0Compare Source
v70.3.0Compare Source
v70.2.0Compare Source
v70.1.1Compare Source
v70.1.0Compare Source
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.