1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-19 04:47:02 +00:00

python3-setuptools: fix CVE-2025-47273

setuptools is a package that allows users to download, build, install,
upgrade, and uninstall Python packages. A path traversal vulnerability
in `PackageIndex` is present in setuptools prior to version 78.1.1. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code,
which could escalate to remote code execution depending on the context.
Version 78.1.1 fixes the issue.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47273

Upstream-patch:
https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a
https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b

(From OE-Core rev: cfb2d77f841ae21cae0ba7d6263dc3e1e0280400)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Praveen Kumar
2025-06-27 15:50:54 +05:30
committed by Steve Sakoman
parent 0372024fe7
commit f53d6b5b2f
3 changed files with 119 additions and 1 deletions
@@ -11,7 +11,10 @@ CVE_PRODUCT = "python3-setuptools python:setuptools"
SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
SRC_URI += " \
file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch"
file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \
file://CVE-2025-47273-pre1.patch \
file://CVE-2025-47273.patch \
"
SRC_URI[sha256sum] = "43b4ee60e10b0d0ee98ad11918e114c70701bc6051662a9a675a0496c1a158f4"