Source: setuptools Version: 78.1.1-0.1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 80.9.0-1
Hi, The following vulnerability was published for setuptools. CVE-2026-23949[0]: | jaraco.context, an open-source software package that provides some | useful decorators and context managers, has a Zip Slip path | traversal vulnerability in the `jaraco.context.tarball()` function | starting in version 5.2.0 and prior to version 6.1.0. The | vulnerability may allow attackers to extract files outside the | intended extraction directory when malicious tar archives are | processed. The strip_first_component filter splits the path on the | first `/` and extracts the second component, while allowing `../` | sequences. Paths like `dummy_dir/../../etc/passwd` become | `../../etc/passwd`. Note that this suffers from a nested tarball | attack as well with multi-level tar files such as | `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a | traversal `dummy_dir/../../config/.env` that also gets translated to | `../../config/.env`. Version 6.1.0 contains a patch for the issue. setuptools includes a bundled version of jaraco.context. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-23949 https://www.cve.org/CVERecord?id=CVE-2026-23949 [1] https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2 Regards, Salvatore
