Bug#1106721: bookworm-pu: package setuptools/66.1.1-1+deb12u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1106721: bookworm-pu: package setuptools/66.1.1-1+deb12u2
From: Lee Garrett <debian@rocketjump.eu>
Date: Wed, 28 May 2025 14:30:00 +0200
Message-id: <[🔎] 174843540068.299080.9443924121536096288.reportbug@batou>
Reply-to: Lee Garrett <debian@rocketjump.eu>, 1106721@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: setuptools@packages.debian.org, debian@rocketjump.eu
Control: affects -1 + src:setuptools
User: release.debian.org@packages.debian.org
Usertags: pu

It's a targeted fix to close CVE-2025-47273. Thanks!

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru setuptools-66.1.1/debian/changelog setuptools-66.1.1/debian/changelog
--- setuptools-66.1.1/debian/changelog	2024-12-31 01:08:15.000000000 +0100
+++ setuptools-66.1.1/debian/changelog	2025-05-27 13:43:25.000000000 +0200
@@ -1,3 +1,11 @@
+setuptools (66.1.1-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * Fix CVE-2025-47273:
+    - Path traversal in PackageIndex.download leads to Arbitrary File Write
+
+ -- Lee Garrett <debian@rocketjump.eu>  Tue, 27 May 2025 13:43:25 +0200
+
 setuptools (66.1.1-1+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload by the Debian LTS team.
diff -Nru setuptools-66.1.1/debian/patches/CVE-2025-47273.patch setuptools-66.1.1/debian/patches/CVE-2025-47273.patch
--- setuptools-66.1.1/debian/patches/CVE-2025-47273.patch	1970-01-01 01:00:00.000000000 +0100
+++ setuptools-66.1.1/debian/patches/CVE-2025-47273.patch	2025-05-27 13:43:25.000000000 +0200
@@ -0,0 +1,13 @@
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -829,6 +829,10 @@
+ 
+         filename = os.path.join(tmpdir, name)
+ 
++        # ensure path resolves within the tmpdir
++        if not filename.startswith(str(tmpdir)):
++            raise ValueError(f"Invalid filename {filename}")
++
+         return self._download_vcs(url, filename) or self._download_other(url, filename)
+ 
+     @staticmethod
diff -Nru setuptools-66.1.1/debian/patches/series setuptools-66.1.1/debian/patches/series
--- setuptools-66.1.1/debian/patches/series	2024-12-31 01:08:15.000000000 +0100
+++ setuptools-66.1.1/debian/patches/series	2025-05-27 13:43:25.000000000 +0200
@@ -15,3 +15,4 @@
 no-sphinx-custom-icons.diff
 no-sphinx-hoverxref.diff
 CVE-2024-6345.patch
+CVE-2025-47273.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package setuptools/66.1.1-1+deb12u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1106721: setuptools 66.1.1-1+deb12u2 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package setuptools/66.1.1-1+deb12u2
Next by Date: Bug#1106722: unblock: pocsuite3/2.0.3-3
Previous by thread: Bug#1106716: marked as done (unblock: krop/0.7.0-0.1)
Next by thread: Processed: bookworm-pu: package setuptools/66.1.1-1+deb12u2
Index(es):
- Date
- Thread