Your message dated Wed, 04 Feb 2026 00:50:34 +0000
with message-id <[email protected]>
and subject line Bug#1126274: fixed in wheel 0.46.3-1
has caused the Debian Bug report #1126274,
regarding wheel: CVE-2026-24049
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126274
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wheel
Version: 0.46.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for wheel.
CVE-2026-24049[0]:
| wheel is a command line tool for manipulating Python wheel files, as
| defined in PEP 427. In versions 0.46.1 and below, the unpack
| function is vulnerable to file permission modification through
| mishandling of file permissions after extraction. The logic blindly
| trusts the filename from the archive header for the chmod operation,
| even though the extraction process itself might have sanitized the
| path. Attackers can craft a malicious wheel file that, when
| unpacked, changes the permissions of critical system files (e.g.,
| /etc/passwd, SSH keys, config files), allowing for Privilege
| Escalation or arbitrary code execution by modifying now-writable
| scripts. This issue has been fixed in version 0.46.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24049
https://www.cve.org/CVERecord?id=CVE-2026-24049
[1] https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx
[2]
https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wheel
Source-Version: 0.46.3-1
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
wheel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated wheel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Feb 2026 19:07:11 -0400
Source: wheel
Architecture: source
Version: 0.46.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1126274
Changes:
wheel (0.46.3-1) unstable; urgency=medium
.
* New upstream release.
- Fixes CVE-2026-24049, potentially altering permissions of files outside
the destination tree, given malicious wheels. (Closes: #1126274)
* Refresh patches.
* Bump Standards-Version to 4.7.3, dropping Priority: optional.
* Drop Rules-Requires-Root: no, no longer needed.
* Patch: Support packaging 25 in tests.
Checksums-Sha1:
23f60d3f7a0ff02a06bde0a673d064aad9b9c41e 1853 wheel_0.46.3-1.dsc
24aa3cf121e5d807e77e01b0dd3567e13d792ff5 60605 wheel_0.46.3.orig.tar.gz
38e83c7a1f8b6e957104681bc0e948b520cfc61b 7788 wheel_0.46.3-1.debian.tar.xz
8753b82859a3bb11d5b5df828a142b2eb917bb48 7302 wheel_0.46.3-1_source.buildinfo
Checksums-Sha256:
f65abaf45ddd0c7eb0dd2602a9c02666dfb96293e0b04ebb407d4d285e80532a 1853
wheel_0.46.3-1.dsc
e3e79874b07d776c40bd6033f8ddf76a7dad46a7b8aa1b2787a83083519a1803 60605
wheel_0.46.3.orig.tar.gz
f629f6fcfe87790f8ac54c68de0a6c2e43fc5b1df8f55ed542f44b3894604ab7 7788
wheel_0.46.3-1.debian.tar.xz
e3197e9e57044b57851b7e4e1d280804f055c971715b2a5acb326b37795cd5c4 7302
wheel_0.46.3-1_source.buildinfo
Files:
8e509b8c4beee25d68dbcfd6fbcbac7d 1853 python optional wheel_0.46.3-1.dsc
61fb0c9633fe7492933a8f338db23508 60605 python optional wheel_0.46.3.orig.tar.gz
34a674c16f9ef9c87e291208eebafe09 7788 python optional
wheel_0.46.3-1.debian.tar.xz
49cd221a72e05336ba0d65da907c7217 7302 python optional
wheel_0.46.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCaYKVHBQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2D+QAQCpYFhdr8bN6qwyGmGA8UYzi77Z+C/D
x434VtLYB4+mewD8DU4BtDh4pYBcxAQCj0iJ53gl8OzNbN6MwRQMPKLgKQ8=
=BQmK
-----END PGP SIGNATURE-----
pgpnfop6VQElW.pgp
Description: PGP signature
--- End Message ---
