chore(deps): update dependency setuptools to v78 [security] #45

renovate · 2024-07-15T19:48:15Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
setuptools (changelog)	`==68.` -> `==78.`

GitHub Vulnerability Alerts

CVE-2024-6345

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

CVE-2025-47273

Summary

A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1

Details

    def _download_url(self, url, tmpdir):
        # Determine download filename
        #
        name, _fragment = egg_info_for_url(url)
        if name:
            while '..' in name:
                name = name.replace('..', '.').replace('\\', '_')
        else:
            name = "__downloaded__"  # default if URL has no path contents

        if name.endswith('.[egg.zip](http://egg.zip/)'):
            name = name[:-4]  # strip the extra .zip before download

 -->       filename = os.path.join(tmpdir, name)

Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter.
name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.

Risk Assessment

As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.

Impact

An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.

References

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
https://github.com/pypa/setuptools/issues/4946

Release Notes

pypa/setuptools (setuptools)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sonarqubecloud · 2024-07-21T20:24:53Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud · 2025-07-08T23:26:31Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2025-09-26T02:13:58Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

renovate bot requested a review from a team as a code owner July 15, 2024 19:48

renovate bot added major renovate labels Jul 15, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from f996056 to b246ff6 Compare July 21, 2024 15:12

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v71 [security] Jul 21, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from b246ff6 to 3aa423e Compare July 21, 2024 20:24

renovate bot changed the title ~~chore(deps): update dependency setuptools to v71 [security]~~ chore(deps): update dependency setuptools to v70 [security] Jul 21, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 3aa423e to 68640a3 Compare December 10, 2024 12:20

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Dec 10, 2024

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Dec 10, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch 2 times, most recently from 9bbb1a8 to dffce4a Compare December 16, 2024 10:00

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Dec 16, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from dffce4a to cc4de5d Compare December 16, 2024 13:13

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Dec 16, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from cc4de5d to 8f172f3 Compare December 17, 2024 19:18

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Dec 17, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 8f172f3 to 0b52681 Compare December 17, 2024 23:28

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Dec 17, 2024

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 0b52681 to 9cb8057 Compare January 14, 2025 18:07

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Jan 14, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 9cb8057 to f60b87a Compare January 14, 2025 23:47

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Jan 14, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from f60b87a to bbab583 Compare January 30, 2025 17:50

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Jan 30, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from bbab583 to f6c331f Compare January 30, 2025 20:46

renovate bot changed the title ~~chore(deps): update dependency setuptools to v75 [security]~~ chore(deps): update dependency setuptools to v70 [security] Jan 30, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from f6c331f to 2cd628a Compare March 3, 2025 12:28

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v75 [security] Mar 3, 2025

renovate bot changed the title ~~chore(deps): update dependency setuptools to v78 [security]~~ chore(deps): update dependency setuptools to v70 [security] Apr 9, 2025

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v80 [security] May 7, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch 2 times, most recently from c07e6e6 to ca4bf52 Compare May 7, 2025 20:41

renovate bot changed the title ~~chore(deps): update dependency setuptools to v80 [security]~~ chore(deps): update dependency setuptools to v70 [security] May 7, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from ca4bf52 to a3b48b6 Compare May 12, 2025 07:40

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v80 [security] May 12, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from a3b48b6 to 675156e Compare May 12, 2025 10:49

renovate bot changed the title ~~chore(deps): update dependency setuptools to v80 [security]~~ chore(deps): update dependency setuptools to v70 [security] May 12, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 675156e to 1d33ed3 Compare May 20, 2025 00:11

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v78 [security] May 20, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 1d33ed3 to b5df3ea Compare July 8, 2025 17:52

renovate bot changed the title ~~chore(deps): update dependency setuptools to v78 [security]~~ chore(deps): update dependency setuptools to v80 [security] Jul 8, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from b5df3ea to dfb6b3c Compare July 8, 2025 23:26

renovate bot changed the title ~~chore(deps): update dependency setuptools to v80 [security]~~ chore(deps): update dependency setuptools to v78 [security] Jul 8, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from dfb6b3c to 494a685 Compare August 10, 2025 13:35

renovate bot changed the title ~~chore(deps): update dependency setuptools to v78 [security]~~ chore(deps): update dependency setuptools to v80 [security] Aug 10, 2025

renovate bot changed the title ~~chore(deps): update dependency setuptools to v80 [security]~~ chore(deps): update dependency setuptools to v78 [security] Aug 10, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch 2 times, most recently from 3ffdc8f to da9d95e Compare August 13, 2025 14:57

renovate bot changed the title ~~chore(deps): update dependency setuptools to v78 [security]~~ chore(deps): update dependency setuptools to v80 [security] Aug 13, 2025

renovate bot changed the title ~~chore(deps): update dependency setuptools to v80 [security]~~ chore(deps): update dependency setuptools to v78 [security] Aug 13, 2025

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from da9d95e to 0c250b8 Compare August 13, 2025 18:36

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 0c250b8 to 5c27195 Compare September 25, 2025 21:01

renovate bot changed the title ~~chore(deps): update dependency setuptools to v78 [security]~~ chore(deps): update dependency setuptools to v80 [security] Sep 25, 2025

chore(deps): update dependency setuptools to v78 [security]

5df901a

renovate bot force-pushed the renovate/pypi-setuptools-vulnerability branch from 5c27195 to 5df901a Compare September 26, 2025 02:13

renovate bot changed the title ~~chore(deps): update dependency setuptools to v80 [security]~~ chore(deps): update dependency setuptools to v78 [security] Sep 26, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency setuptools to v78 [security] #45

chore(deps): update dependency setuptools to v78 [security] #45

Uh oh!

renovate bot commented Jul 15, 2024 •

edited

Loading

Uh oh!

sonarqubecloud bot commented Jul 21, 2024

Uh oh!

sonarqubecloud bot commented Jul 8, 2025

Uh oh!

sonarqubecloud bot commented Sep 26, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

chore(deps): update dependency setuptools to v78 [security] #45

Are you sure you want to change the base?

chore(deps): update dependency setuptools to v78 [security] #45

Uh oh!

Conversation

renovate bot commented Jul 15, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Summary

Details

Risk Assessment

Impact

References

Release Notes

Configuration

Uh oh!

sonarqubecloud bot commented Jul 21, 2024

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Jul 8, 2025

Quality Gate passed

Uh oh!

sonarqubecloud bot commented Sep 26, 2025

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Jul 15, 2024 •

edited

Loading