Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible remote code execution through package index #4331

Closed
5 tasks done
jaraco opened this issue Apr 29, 2024 · 2 comments
Closed
5 tasks done

Possible remote code execution through package index #4331

jaraco opened this issue Apr 29, 2024 · 2 comments
Assignees
@jaraco

Comments

@jaraco
Copy link
Member

jaraco commented Apr 29, 2024
edited
Loading

On April 22, the Setuptools project received a report of a possible vulnerability through Tidelift. This issue tracks the repair and eventual disclosure of that vulnerability.

This issue affects deprecated portions of Setuptools and is not believed to affect the bulk of users, especially those reliant on modern packaging installers (e.g. pip).

Status:

  • reported
  • investigated
  • acknowledged and confirmed
  • CVE drafted
  • remediation committed and released

Edit:

The issue is a possible remote code execution by supplying malicious URLs in a package index or via the command line. The issue boils down to unsafe use of os.system. Because easy_install and package_index are deprecated, the attack surface is smaller, but it's conceivable through social engineering or minor compromise to a package index could grant remote access. The fix was released in v70.0.0.
@jaraco jaraco self-assigned this Apr 29, 2024
@jaraco
Copy link
Member Author

jaraco commented May 31, 2024

We've been tracking this issue on huntr.com and in this doc.

@jaraco
Copy link
Member Author

jaraco commented May 31, 2024

The issue was fixed in #4332.

@jaraco jaraco closed this as completed May 31, 2024
@jaraco jaraco changed the title Undisclosed vulnerability Possible remote code execution through package index Jun 11, 2024
@stevepiercy stevepiercy mentioned this issue Jul 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jaraco jaraco

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jaraco