Source: setuptools Version: 78.1.0-1.2 Severity: important Tags: security upstream Forwarded: https://github.com/pypa/setuptools/issues/4946 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for setuptools. CVE-2025-47273[0]: | setuptools is a package that allows users to download, build, | install, upgrade, and uninstall Python packages. A path traversal | vulnerability in `PackageIndex` is present in setuptools prior to | version 78.1.1. An attacker would be allowed to write files to | arbitrary locations on the filesystem with the permissions of the | process running the Python code, which could escalate to remote code | execution depending on the context. Version 78.1.1 fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-47273 https://www.cve.org/CVERecord?id=CVE-2025-47273 [1] https://github.com/pypa/setuptools/issues/4946 [2] https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b [3] https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf Please adjust the affected versions in the BTS as needed. Regards, Salvatore
