Source: pdm X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for pdm. CVE-2023-45805[0]: | pdm is a Python package and dependency manager supporting the latest | PEP standards. It's possible to craft a malicious `pdm.lock` file | that could allow e.g. an insider or a malicious open source project | to appear to depend on a trusted PyPI project, but actually install | another project. A project `foo` can be targeted by creating the | project `foo-2` and uploading the file `foo-2-2.tar.gz` to pypi.org. | PyPI will see this as project `foo-2` version `2`, while PDM will | see this as project `foo` version `2-2`. The version must only be | `parseable as a version` and the filename must be a prefix of the | project name, but it's not verified to match the version being | installed. Version `2-2` is also not a valid normalized version per | PEP 440. Matching the project name exactly (not just prefix) would | fix the issue. When installing dependencies with PDM, what's | actually installed could differ from what's listed in | `pyproject.toml` (including arbitrary code execution on install). It | could also be used for downgrade attacks by only changing the | version. This issue has been addressed in commit `6853e2642df` which | is included in release version `2.9.4`. Users are advised to | upgrade. There are no known workarounds for this vulnerability. https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9 https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45805 https://www.cve.org/CVERecord?id=CVE-2023-45805 Please adjust the affected versions in the BTS as needed.
