Update dependency setuptools to v78 [SECURITY] #36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==74.0.0->==78.1.1GitHub Vulnerability Alerts
CVE-2025-47273
Summary
A path traversal vulnerability in
PackageIndexwas fixed in setuptools version 78.1.1Details
Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
os.path.join()discards the first argumenttmpdirif the second begins with a slash or drive letter.nameis derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.Risk Assessment
As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.
Impact
An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.
References
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/issues/4946
Release Notes
pypa/setuptools (setuptools)
v78.1.1Compare Source
v78.1.0Compare Source
v78.0.2Compare Source
v78.0.1Compare Source
v77.0.3Compare Source
v77.0.1Compare Source
v76.1.0Compare Source
v76.0.0Compare Source
v75.9.1Compare Source
v75.9.0Compare Source
v75.8.2Compare Source
v75.8.1Compare Source
v75.8.0Compare Source
v75.7.0Compare Source
v75.6.0Compare Source
v75.5.0Compare Source
v75.4.0Compare Source
v75.3.2Compare Source
v75.3.1Compare Source
v75.3.0Compare Source
v75.2.0Compare Source
v75.1.0Compare Source
v75.0.0Compare Source
v74.1.3Compare Source
v74.1.2Compare Source
v74.1.1Compare Source
v74.1.0Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.