Source: wheel Version: 0.46.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for wheel. CVE-2026-24049[0]: | wheel is a command line tool for manipulating Python wheel files, as | defined in PEP 427. In versions 0.46.1 and below, the unpack | function is vulnerable to file permission modification through | mishandling of file permissions after extraction. The logic blindly | trusts the filename from the archive header for the chmod operation, | even though the extraction process itself might have sanitized the | path. Attackers can craft a malicious wheel file that, when | unpacked, changes the permissions of critical system files (e.g., | /etc/passwd, SSH keys, config files), allowing for Privilege | Escalation or arbitrary code execution by modifying now-writable | scripts. This issue has been fixed in version 0.46.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24049 https://www.cve.org/CVERecord?id=CVE-2026-24049 [1] https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx [2] https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef Please adjust the affected versions in the BTS as needed. Regards, Salvatore
