Bug#1106721: bookworm-pu: package setuptools/66.1.1-1+deb12u2

Wed, 28 May 2025 05:33:15 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: setupto...@packages.debian.org, deb...@rocketjump.eu
Control: affects -1 + src:setuptools
User: release.debian....@packages.debian.org
Usertags: pu

It's a targeted fix to close CVE-2025-47273. Thanks!

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru setuptools-66.1.1/debian/changelog setuptools-66.1.1/debian/changelog
--- setuptools-66.1.1/debian/changelog  2024-12-31 01:08:15.000000000 +0100
+++ setuptools-66.1.1/debian/changelog  2025-05-27 13:43:25.000000000 +0200
@@ -1,3 +1,11 @@
+setuptools (66.1.1-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * Fix CVE-2025-47273:
+    - Path traversal in PackageIndex.download leads to Arbitrary File Write
+
+ -- Lee Garrett <deb...@rocketjump.eu>  Tue, 27 May 2025 13:43:25 +0200
+
 setuptools (66.1.1-1+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload by the Debian LTS team.
diff -Nru setuptools-66.1.1/debian/patches/CVE-2025-47273.patch 
setuptools-66.1.1/debian/patches/CVE-2025-47273.patch
--- setuptools-66.1.1/debian/patches/CVE-2025-47273.patch       1970-01-01 
01:00:00.000000000 +0100
+++ setuptools-66.1.1/debian/patches/CVE-2025-47273.patch       2025-05-27 
13:43:25.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -829,6 +829,10 @@
+ 
+         filename = os.path.join(tmpdir, name)
+ 
++        # ensure path resolves within the tmpdir
++        if not filename.startswith(str(tmpdir)):
++            raise ValueError(f"Invalid filename {filename}")
++
+         return self._download_vcs(url, filename) or self._download_other(url, 
filename)
+ 
+     @staticmethod
diff -Nru setuptools-66.1.1/debian/patches/series 
setuptools-66.1.1/debian/patches/series
--- setuptools-66.1.1/debian/patches/series     2024-12-31 01:08:15.000000000 
+0100
+++ setuptools-66.1.1/debian/patches/series     2025-05-27 13:43:25.000000000 
+0200
@@ -15,3 +15,4 @@
 no-sphinx-custom-icons.diff
 no-sphinx-hoverxref.diff
 CVE-2024-6345.patch
+CVE-2025-47273.patch

Reply via email to