git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Praveen Kumar <praveen.kumar@windriver.com>
	Fri, 27 Jun 2025 10:20:54 +0000 (15:50 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Fri, 27 Jun 2025 15:27:56 +0000 (08:27 -0700)
commit	cfb2d77f841ae21cae0ba7d6263dc3e1e0280400
tree	aeb3569650c407e7b3e2e5a9fa97bad9e9171bd2	tree \| snapshot
parent	082b865d9814e7e7aca4466551a035199aa8b563	commit \| diff

python3-setuptools: fix CVE-2025-47273

setuptools is a package that allows users to download, build, install,
upgrade, and uninstall Python packages. A path traversal vulnerability
in `PackageIndex` is present in setuptools prior to version 78.1.1. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code,
which could escalate to remote code execution depending on the context.
Version 78.1.1 fixes the issue.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47273

Upstream-patch:
https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a
https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/python/python3-setuptools_76.0.0.bb		diff \| blob \| blame \| history