Sicherheit: Überschreiben von Dateien in Setuptools

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4353100035112024260==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------GPYvh4PkAgb4J0JC27ArViD7"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------GPYvh4PkAgb4J0JC27ArViD7
Content-Type: multipart/mixed;
boundary="------------jpdy0tIpuuxJ0L0Z8e6CplKv";
protected-headers="v1"
From: Fabian Toepfer <fabian.toepfer@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <c01d2fe6-4c6b-4011-b337-cf7f496e429a@canonical.com>
Subject: [USN-7544-1] Setuptools vulnerability

--------------jpdy0tIpuuxJ0L0Z8e6CplKv
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7544-1
May 28, 2025

python-setuptools, setuptools vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Setuptools could be made to write files to arbitrary locations on the
filesystem.

Software Description:
- setuptools: Python Distutils Enhancements (documentation)
- python-setuptools: Python Distutils Enhancements

Details:

It was discovered that setuptools did not properly sanitize paths. An
attacker could possibly use this issue to write files to arbitrary
locations on the filesystem.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
python3-setuptools              75.8.0-1ubuntu1

Ubuntu 24.10
python3-setuptools              74.1.2-1ubuntu0.1

Ubuntu 24.04 LTS
python3-setuptools              68.1.2-2ubuntu1.2

Ubuntu 22.04 LTS
pypy-setuptools                 44.1.1-1.2ubuntu0.22.04.1+esm2
                                  Available with Ubuntu Pro
python-setuptools               44.1.1-1.2ubuntu0.22.04.1+esm2
                                  Available with Ubuntu Pro
python3-setuptools              59.6.0-1.2ubuntu0.22.04.3

Ubuntu 20.04 LTS
pypy-setuptools                 44.0.0-2ubuntu0.1+esm2
                                  Available with Ubuntu Pro
python-setuptools               44.0.0-2ubuntu0.1+esm2
                                  Available with Ubuntu Pro
python3-setuptools              45.2.0-1ubuntu0.3

Ubuntu 18.04 LTS
pypy-setuptools                 39.0.1-2ubuntu0.1+esm2
                                  Available with Ubuntu Pro
python-setuptools               39.0.1-2ubuntu0.1+esm2
                                  Available with Ubuntu Pro
python3-setuptools              39.0.1-2ubuntu0.1+esm2
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
pypy-setuptools                 20.7.0-1ubuntu0.1~esm3
                                  Available with Ubuntu Pro
python-setuptools               20.7.0-1ubuntu0.1~esm3
                                  Available with Ubuntu Pro
python3-setuptools              20.7.0-1ubuntu0.1~esm3
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
python-setuptools               3.3-1ubuntu2+esm3
                                  Available with Ubuntu Pro
python3-setuptools              3.3-1ubuntu2+esm3
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7544-1
CVE-2025-47273

Package Information:
https://launchpad.net/ubuntu/+source/setuptools/75.8.0-1ubuntu1
https://launchpad.net/ubuntu/+source/setuptools/74.1.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/setuptools/68.1.2-2ubuntu1.2

--------------jpdy0tIpuuxJ0L0Z8e6CplKv--

--------------GPYvh4PkAgb4J0JC27ArViD7
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmg3ZrcFAwAAAAAACgkQCAvK1QvD6SCI
exAAn8Yn0RjXydpiBBIK59eFDNMPs8zDPxMITjjfGqFnGI2MugZlu9r80/Ru+KLgKGjaJJ70JVwj
i3hmo4G9wQ3A7usStGrcV/SFXYZ/3GHiwFhb0+UR4aoK95KocVc3zG/Ds+aJNy3ZmbNJyVB7A+Ip
zWn+LuUz6u5+6g2aGyyr41rlfES73EzEmQN28Rw1m987MxN/u5oVGwE7x6vh4EmbNOkZ18/W1xPt
1Ba2z59ken1dIhMOzFMOXCPw/06pAdnynPMWMD6/dLaXDaNMxXOwRFH7a/Kfbte64joA4aXqAkyI
6k91NrkIh1lbQ/Ty5djehaP2yZBkxsmW6r7G5/HURU8R5Qe0fSCfmDLppzmwlVgjaJEGsMGrOCqd
eghznjXhnj3xnYaS8c1DuhnAXFgMiheEE9TR/13hASbb5+grTDlNPaWHVsBuCG6jkloZwtQjrFuQ
MDjfwEuKX7m0fi5eQ5YP30AHh74WHcFk5oZFBuk7KDwySG6oUA5NaMZDudHV/NJ5ZM/GqKtqpih2
us1zi5xXze0teoZ1xLUQRL30vbzKXqQ7IwOo9CfAfMdrg16eBPVdyT51M1x8vAJj17K6SYUSPBQO
hlbQhV8bFsCTK1w+Gvbhd5shedef7IpOnGdBM7GDol7w0k5tovrGWXL7IPB59CjCe/WqkahbtPlE
PAI=
=OgTS
-----END PGP SIGNATURE-----

--------------GPYvh4PkAgb4J0JC27ArViD7--

--===============4353100035112024260==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============4353100035112024260==--