Bug 2297771 (CVE-2024-6345) - CVE-2024-6345 pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools [NEEDINFO]
Summary: CVE-2024-6345 pypa/setuptools: Remote code execution via download functions i...
Keywords:
Status: NEW
Alias: CVE-2024-6345
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2298672 2298673 2298676 2298681 2298686 2298671 2298674 2298675 2298677 2298678 2298679 2298680 2298682 2298683
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-15 01:20 UTC by OSIDB Bzimport
Modified: 2024-10-01 07:16 UTC (History)
96 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the package_index module of pypa/setuptools. Affected versions of this package allow remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:
oarribas: needinfo? (ahanwate)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github pypa setuptools pull 4332 0 None Merged Modernize package_index VCS handling 2024-07-18 15:27:29 UTC
Red Hat Product Errata RHBA-2024:5153 0 None None None 2024-08-08 18:44:31 UTC
Red Hat Product Errata RHBA-2024:5206 0 None None None 2024-08-12 07:46:48 UTC
Red Hat Product Errata RHBA-2024:5319 0 None None None 2024-08-13 15:57:12 UTC
Red Hat Product Errata RHBA-2024:5320 0 None None None 2024-08-13 15:57:01 UTC
Red Hat Product Errata RHBA-2024:5380 0 None None None 2024-08-14 09:00:27 UTC
Red Hat Product Errata RHBA-2024:5540 0 None None None 2024-08-19 06:56:33 UTC
Red Hat Product Errata RHBA-2024:5541 0 None None None 2024-08-19 06:56:58 UTC
Red Hat Product Errata RHBA-2024:5542 0 None None None 2024-08-19 07:06:35 UTC
Red Hat Product Errata RHBA-2024:5543 0 None None None 2024-08-19 07:07:21 UTC
Red Hat Product Errata RHBA-2024:5544 0 None None None 2024-08-19 07:08:12 UTC
Red Hat Product Errata RHBA-2024:5545 0 None None None 2024-08-19 07:17:40 UTC
Red Hat Product Errata RHBA-2024:5546 0 None None None 2024-08-19 07:36:31 UTC
Red Hat Product Errata RHBA-2024:5548 0 None None None 2024-08-19 07:46:46 UTC
Red Hat Product Errata RHBA-2024:5549 0 None None None 2024-08-19 07:45:24 UTC
Red Hat Product Errata RHBA-2024:5550 0 None None None 2024-08-19 07:45:47 UTC
Red Hat Product Errata RHBA-2024:5551 0 None None None 2024-08-19 07:56:37 UTC
Red Hat Product Errata RHBA-2024:5552 0 None None None 2024-08-19 07:55:11 UTC
Red Hat Product Errata RHBA-2024:5554 0 None None None 2024-08-19 07:57:46 UTC
Red Hat Product Errata RHBA-2024:5558 0 None None None 2024-08-19 08:22:45 UTC
Red Hat Product Errata RHBA-2024:5559 0 None None None 2024-08-19 08:48:21 UTC
Red Hat Product Errata RHBA-2024:5560 0 None None None 2024-08-19 08:51:51 UTC
Red Hat Product Errata RHBA-2024:5561 0 None None None 2024-08-19 08:54:03 UTC
Red Hat Product Errata RHBA-2024:5562 0 None None None 2024-08-19 08:55:32 UTC
Red Hat Product Errata RHBA-2024:5563 0 None None None 2024-08-19 09:08:32 UTC
Red Hat Product Errata RHBA-2024:5566 0 None None None 2024-08-19 10:17:07 UTC
Red Hat Product Errata RHBA-2024:5570 0 None None None 2024-08-19 11:59:40 UTC
Red Hat Product Errata RHBA-2024:5571 0 None None None 2024-08-19 12:27:33 UTC
Red Hat Product Errata RHBA-2024:5572 0 None None None 2024-08-19 12:59:07 UTC
Red Hat Product Errata RHBA-2024:5574 0 None None None 2024-08-19 14:56:22 UTC
Red Hat Product Errata RHBA-2024:5596 0 None None None 2024-08-20 09:11:55 UTC
Red Hat Product Errata RHBA-2024:5603 0 None None None 2024-08-20 10:07:20 UTC
Red Hat Product Errata RHBA-2024:5605 0 None None None 2024-08-20 10:11:55 UTC
Red Hat Product Errata RHBA-2024:5682 0 None None None 2024-08-21 08:25:20 UTC
Red Hat Product Errata RHBA-2024:5683 0 None None None 2024-08-21 09:49:15 UTC
Red Hat Product Errata RHBA-2024:5686 0 None None None 2024-08-21 11:07:46 UTC
Red Hat Product Errata RHBA-2024:5687 0 None None None 2024-08-21 11:08:27 UTC
Red Hat Product Errata RHBA-2024:5702 0 None None None 2024-08-21 12:13:34 UTC
Red Hat Product Errata RHBA-2024:5705 0 None None None 2024-08-21 12:16:04 UTC
Red Hat Product Errata RHBA-2024:5804 0 None None None 2024-08-26 01:24:50 UTC
Red Hat Product Errata RHBA-2024:5806 0 None None None 2024-08-26 02:25:29 UTC
Red Hat Product Errata RHBA-2024:5816 0 None None None 2024-08-26 08:03:31 UTC
Red Hat Product Errata RHBA-2024:5819 0 None None None 2024-08-26 08:03:20 UTC
Red Hat Product Errata RHBA-2024:5820 0 None None None 2024-08-26 07:40:51 UTC
Red Hat Product Errata RHBA-2024:5821 0 None None None 2024-08-26 07:41:24 UTC
Red Hat Product Errata RHBA-2024:5825 0 None None None 2024-08-26 08:03:09 UTC
Red Hat Product Errata RHBA-2024:5827 0 None None None 2024-08-26 08:02:09 UTC
Red Hat Product Errata RHBA-2024:5836 0 None None None 2024-08-26 08:11:47 UTC
Red Hat Product Errata RHBA-2024:5877 0 None None None 2024-08-26 20:18:13 UTC
Red Hat Product Errata RHBA-2024:5888 0 None None None 2024-08-27 09:58:39 UTC
Red Hat Product Errata RHBA-2024:5911 0 None None None 2024-08-27 20:23:39 UTC
Red Hat Product Errata RHBA-2024:5946 0 None None None 2024-08-28 15:56:32 UTC
Red Hat Product Errata RHBA-2024:6002 0 None None None 2024-08-29 08:01:17 UTC
Red Hat Product Errata RHBA-2024:6415 0 None None None 2024-09-05 09:35:36 UTC
Red Hat Product Errata RHBA-2024:6552 0 None None None 2024-09-10 17:24:39 UTC
Red Hat Product Errata RHSA-2024:5000 0 None None None 2024-08-05 08:58:06 UTC
Red Hat Product Errata RHSA-2024:5002 0 None None None 2024-08-05 08:58:55 UTC
Red Hat Product Errata RHSA-2024:5040 0 None None None 2024-08-06 12:49:49 UTC
Red Hat Product Errata RHSA-2024:5078 0 None None None 2024-08-07 10:17:00 UTC
Red Hat Product Errata RHSA-2024:5084 0 None None None 2024-08-07 13:33:00 UTC
Red Hat Product Errata RHSA-2024:5137 0 None None None 2024-08-08 14:32:36 UTC
Red Hat Product Errata RHSA-2024:5279 0 None None None 2024-08-13 14:25:14 UTC
Red Hat Product Errata RHSA-2024:5389 0 None None None 2024-08-14 11:23:20 UTC
Red Hat Product Errata RHSA-2024:5530 0 None None None 2024-08-19 09:06:41 UTC
Red Hat Product Errata RHSA-2024:5531 0 None None None 2024-08-19 06:29:57 UTC
Red Hat Product Errata RHSA-2024:5532 0 None None None 2024-08-19 06:19:44 UTC
Red Hat Product Errata RHSA-2024:5533 0 None None None 2024-08-19 06:50:00 UTC
Red Hat Product Errata RHSA-2024:5534 0 None None None 2024-08-19 09:36:48 UTC
Red Hat Product Errata RHSA-2024:5962 0 None None None 2024-08-28 18:52:05 UTC
Red Hat Product Errata RHSA-2024:6220 0 None None None 2024-09-03 12:42:20 UTC
Red Hat Product Errata RHSA-2024:6309 0 None None None 2024-09-04 11:25:07 UTC
Red Hat Product Errata RHSA-2024:6311 0 None None None 2024-09-04 11:13:21 UTC
Red Hat Product Errata RHSA-2024:6312 0 None None None 2024-09-04 11:16:05 UTC
Red Hat Product Errata RHSA-2024:6488 0 None None None 2024-09-09 11:16:05 UTC
Red Hat Product Errata RHSA-2024:6611 0 None None None 2024-09-11 18:14:08 UTC
Red Hat Product Errata RHSA-2024:6612 0 None None None 2024-09-11 18:11:18 UTC
Red Hat Product Errata RHSA-2024:6661 0 None None None 2024-09-12 18:19:53 UTC
Red Hat Product Errata RHSA-2024:6662 0 None None None 2024-09-12 18:29:45 UTC
Red Hat Product Errata RHSA-2024:6726 0 None None None 2024-09-17 12:59:05 UTC
Red Hat Product Errata RHSA-2024:6907 0 None None None 2024-09-23 01:37:27 UTC
Red Hat Product Errata RHSA-2024:7213 0 None None None 2024-09-26 13:28:42 UTC
Red Hat Product Errata RHSA-2024:7374 0 None None None 2024-09-30 10:26:24 UTC

Description OSIDB Bzimport 2024-07-15 01:20:34 UTC
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Comment 1 Avinash Hanwate 2024-07-18 13:14:54 UTC
Created buku tracking bugs for this issue:

Affects: fedora-all [bug 2298673]


Created cura tracking bugs for this issue:

Affects: fedora-all [bug 2298674]


Created limnoria tracking bugs for this issue:

Affects: epel-all [bug 2298672]


Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 2298675]


Created python-setuptools_scm tracking bugs for this issue:

Affects: fedora-40 [bug 2298671]


Created qcoro tracking bugs for this issue:

Affects: fedora-all [bug 2298676]

Comment 3 Lumír Balhar 2024-07-25 17:25:49 UTC
The main part of the PR fixing the vulnerability is the switch from os.system("git clone …") to subprocess.check_call(["git", "clone", …]).

Comment 4 errata-xmlrpc 2024-08-05 08:58:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5000 https://access.redhat.com/errata/RHSA-2024:5000

Comment 5 errata-xmlrpc 2024-08-05 08:58:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5002 https://access.redhat.com/errata/RHSA-2024:5002

Comment 8 errata-xmlrpc 2024-08-06 12:49:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:5040 https://access.redhat.com/errata/RHSA-2024:5040

Comment 9 errata-xmlrpc 2024-08-07 10:16:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:5078 https://access.redhat.com/errata/RHSA-2024:5078

Comment 10 errata-xmlrpc 2024-08-07 13:32:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5084 https://access.redhat.com/errata/RHSA-2024:5084

Comment 11 Fedora Update System 2024-08-08 02:41:28 UTC
FEDORA-2024-247e9ba33a (python-setuptools-69.0.3-4.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2024-08-08 14:32:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5137 https://access.redhat.com/errata/RHSA-2024:5137

Comment 13 Fedora Update System 2024-08-11 03:29:13 UTC
FEDORA-2024-9ed182a5d3 (python-setuptools-67.7.2-8.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 errata-xmlrpc 2024-08-13 14:25:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:5279 https://access.redhat.com/errata/RHSA-2024:5279

Comment 15 aleskandro 2024-08-13 22:10:20 UTC
Are the upgrades expected to be shipped in the registry.redhat.io/rhel9-2-els/rhel:9.2 image?

Comment 16 Lumír Balhar 2024-08-14 05:44:00 UTC
(In reply to aleskandro from comment #15)
> Are the upgrades expected to be shipped in the
> registry.redhat.io/rhel9-2-els/rhel:9.2 image?

This is a high-severity vulnerability and RHEL 9.2 is still supported so the answer is yes. python-setuptools is already fixed, the update for python3.11-setuptools is in progress.

Comment 17 errata-xmlrpc 2024-08-14 11:23:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:5389 https://access.redhat.com/errata/RHSA-2024:5389

Comment 18 errata-xmlrpc 2024-08-19 06:19:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5532 https://access.redhat.com/errata/RHSA-2024:5532

Comment 19 errata-xmlrpc 2024-08-19 06:29:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5531 https://access.redhat.com/errata/RHSA-2024:5531

Comment 20 errata-xmlrpc 2024-08-19 06:49:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:5533 https://access.redhat.com/errata/RHSA-2024:5533

Comment 21 errata-xmlrpc 2024-08-19 09:06:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5530 https://access.redhat.com/errata/RHSA-2024:5530

Comment 22 errata-xmlrpc 2024-08-19 09:36:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:5534 https://access.redhat.com/errata/RHSA-2024:5534

Comment 25 errata-xmlrpc 2024-08-28 18:51:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5962 https://access.redhat.com/errata/RHSA-2024:5962

Comment 26 errata-xmlrpc 2024-09-03 12:42:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:6220 https://access.redhat.com/errata/RHSA-2024:6220

Comment 27 errata-xmlrpc 2024-09-04 11:13:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6311 https://access.redhat.com/errata/RHSA-2024:6311

Comment 28 errata-xmlrpc 2024-09-04 11:15:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6312 https://access.redhat.com/errata/RHSA-2024:6312

Comment 29 errata-xmlrpc 2024-09-04 11:25:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6309 https://access.redhat.com/errata/RHSA-2024:6309

Comment 30 errata-xmlrpc 2024-09-09 11:15:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:6488 https://access.redhat.com/errata/RHSA-2024:6488

Comment 31 errata-xmlrpc 2024-09-11 18:11:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:6612 https://access.redhat.com/errata/RHSA-2024:6612

Comment 32 errata-xmlrpc 2024-09-11 18:14:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6611 https://access.redhat.com/errata/RHSA-2024:6611

Comment 33 errata-xmlrpc 2024-09-12 18:19:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:6661 https://access.redhat.com/errata/RHSA-2024:6661

Comment 34 errata-xmlrpc 2024-09-12 18:29:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:6662 https://access.redhat.com/errata/RHSA-2024:6662

Comment 35 errata-xmlrpc 2024-09-17 12:58:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6726 https://access.redhat.com/errata/RHSA-2024:6726

Comment 36 errata-xmlrpc 2024-09-23 01:37:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:6907 https://access.redhat.com/errata/RHSA-2024:6907

Comment 37 errata-xmlrpc 2024-09-26 13:28:36 UTC
This issue has been addressed in the following products:

  Service Interconnect 1.4 for RHEL 9

Via RHSA-2024:7213 https://access.redhat.com/errata/RHSA-2024:7213

Comment 38 errata-xmlrpc 2024-09-30 10:26:16 UTC
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:7374 https://access.redhat.com/errata/RHSA-2024:7374


Note You need to log in before you can comment on or make changes to this bug.