chore(deps): update dependency setuptools to v78 [security] #45

renovate · 2024-07-15T19:48:15Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
setuptools (changelog)	`==68.` -> `==78.`

GitHub Vulnerability Alerts

CVE-2024-6345

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

CVE-2025-47273

Summary

A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1

Details

    def _download_url(self, url, tmpdir):
        # Determine download filename
        #
        name, _fragment = egg_info_for_url(url)
        if name:
            while '..' in name:
                name = name.replace('..', '.').replace('\\', '_')
        else:
            name = "__downloaded__"  # default if URL has no path contents

        if name.endswith('.[egg.zip](http://egg.zip/)'):
            name = name[:-4]  # strip the extra .zip before download

 -->       filename = os.path.join(tmpdir, name)

Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter.
name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.

Risk Assessment

As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.

Impact

An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.

References

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/issues/4946

Release Notes

pypa/setuptools (setuptools)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sonarqubecloud · 2024-07-21T20:24:53Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud · 2025-05-20T00:11:20Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

renovate bot requested a review from a team as a code owner July 15, 2024 19:48

renovate bot added major renovate labels Jul 15, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from f996056 to b246ff6 Compare July 21, 2024 15:12

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v71 [security] Jul 21, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from b246ff6 to 3aa423e Compare July 21, 2024 20:24

renovate bot changed the title ~~chore(deps): update dependency setuptools to v71 [security]~~ chore(deps): update dependency setuptools to v70 [security] Jul 21, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 3aa423e to 68640a3 Compare December 10, 2024 12:20

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Dec 10, 2024

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Dec 10, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch 2 times, most recently from 9bbb1a8 to dffce4a Compare December 16, 2024 10:00

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Dec 16, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from dffce4a to cc4de5d Compare December 16, 2024 13:13

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Dec 16, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from cc4de5d to 8f172f3 Compare December 17, 2024 19:18

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Dec 17, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 8f172f3 to 0b52681 Compare December 17, 2024 23:28

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Dec 17, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 0b52681 to 9cb8057 Compare January 14, 2025 18:07

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Jan 14, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 9cb8057 to f60b87a Compare January 14, 2025 23:47

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Jan 14, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from f60b87a to bbab583 Compare January 30, 2025 17:50

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Jan 30, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from bbab583 to f6c331f Compare January 30, 2025 20:46

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Jan 30, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from f6c331f to 2cd628a Compare March 3, 2025 12:28

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Mar 3, 2025

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Mar 3, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 2cd628a to de01ce2 Compare March 3, 2025 20:31

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v76 [security] Mar 17, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch 2 times, most recently from 7265b45 to c49dbe8 Compare March 17, 2025 23:21

renovate bot changed the title ~~chore(deps): update dependency setuptools to v76 [security]~~ chore(deps): update dependency setuptools to v70 [security] Mar 17, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from c49dbe8 to 2bdf539 Compare April 9, 2025 12:27

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v78 [security] Apr 9, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 2bdf539 to fd4c009 Compare April 9, 2025 19:22

renovate bot changed the title ~~chore(deps): update dependency setuptools to v78 [security]~~ chore(deps): update dependency setuptools to v70 [security] Apr 9, 2025

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v80 [security] May 7, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch 2 times, most recently from c07e6e6 to ca4bf52 Compare May 7, 2025 20:41

renovate bot changed the title ~~chore(deps): update dependency setuptools to v80 [security]~~ chore(deps): update dependency setuptools to v70 [security] May 7, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from ca4bf52 to a3b48b6 Compare May 12, 2025 07:40

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v80 [security] May 12, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from a3b48b6 to 675156e Compare May 12, 2025 10:49

renovate bot changed the title ~~chore(deps): update dependency setuptools to v80 [security]~~ chore(deps): update dependency setuptools to v70 [security] May 12, 2025

chore(deps): update dependency setuptools to v78 [security]

1d33ed3

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 675156e to 1d33ed3 Compare May 20, 2025 00:11

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v78 [security] May 20, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency setuptools to v78 [security] #45

chore(deps): update dependency setuptools to v78 [security] #45

renovate bot commented Jul 15, 2024 •

edited

Loading

sonarqubecloud bot commented Jul 21, 2024

sonarqubecloud bot commented May 20, 2025

chore(deps): update dependency setuptools to v78 [security] #45

Are you sure you want to change the base?

chore(deps): update dependency setuptools to v78 [security] #45

Conversation

renovate bot commented Jul 15, 2024 • edited Loading

GitHub Vulnerability Alerts

Summary

Details

Risk Assessment

Impact

References

Release Notes

Configuration

sonarqubecloud bot commented Jul 21, 2024

Quality Gate passed

sonarqubecloud bot commented May 20, 2025

Quality Gate passed

renovate bot commented Jul 15, 2024 •

edited

Loading