setuptools Path Traversal Vulnerability in PackageIndex Allowing Arbitrary File Write

A path traversal vulnerability has been identified in the 'PackageIndex' component of setuptools, affecting versions prior to 78.1.1. This vulnerability allows an attacker to write files to arbitrary locations on the filesystem, using the permissions of the process executing the Python code. Depending on the context, this could lead to remote code execution. The issue arises because 'PackageIndex' improperly sanitizes filenames derived from URLs, enabling exploitation by manipulating the URL path.

Impact

Exploitation of this vulnerability could result in arbitrary file writes, with the potential for remote code execution, depending on the context in which the code is run.

Reproduction

The vulnerability can be reproduced by using the 'PackageIndex' module to download a file from a URL that includes path traversal characters, such as '../'. The 'PackageIndex' will write the file to a location outside of the intended directory, such as the user's SSH authorized_keys file.

Remediation

Users should upgrade to setuptools version 78.1.1 or later. For Debian 11 bullseye, this vulnerability has been fixed in version 52.0.0-4+deb11u2.