I'd like to responsibly disclose a vulnerability in pyp2spec (https://github.com/befeleme/pyp2spec). pyp2spec generates RPM spec files from Python package metadata without escaping RPM directives. A malicious package on PyPI can embed content in its metadata that, when processed by pyp2spec and built with rpmbuild, results in arbitrary command execution on the build machine. I have a self-contained Docker-based proof of concept that demonstrates the full attack chain. Happy to share it privately through this bug. I haven't disclosed this anywhere else. Reproducible: Always Steps to Reproduce: 1. Create a Python package with RPM macro directives embedded in the summary metadata field 2. Build an sdist and wheel from the package 3. Run pyp2spec against the local package 4. Run rpmbuild on the generated spec file 5. Observe that the embedded directives are evaluated by rpmbuild Actual Results: RPM macros in package metadata are written verbatim into the generated spec file and execute during rpmbuild. Expected Results: Package metadata containing RPM directives should be escaped before being written to the spec file. Additional Information: I have a self-contained Docker-based proof of concept ready to share privately once this report is triaged.
Hello, thank you for the report. Can you share the PoC through my e-mail: ksurma[at]redhat.com?
(In reply to Karolina Surma from comment #1) > Hello, thank you for the report. Can you share the PoC through my e-mail: > ksurma[at]redhat.com? Hello Karolina, Ive sent the poc to your email (as a zip file). There are a few files in there but the short of it is: to run the poc first unzip, then change the permissions on the folder to allow sh files to execute, and finally run ./poc.sh . Please let me know if you have any comments, questions, or concerns. Thanks, Nick G.
FEDORA-2026-9ba2d85db0 (pyp2spec-0.14.1-1.fc45) has been submitted as an update to Fedora 45. https://bodhi.fedoraproject.org/updates/FEDORA-2026-9ba2d85db0
FEDORA-2026-91671b8061 (pyp2spec-0.14.1-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-91671b8061
FEDORA-2026-9ba2d85db0 (pyp2spec-0.14.1-1.fc45) has been pushed to the Fedora 45 stable repository. If problem still persists, please make note of it in this bug report.
Hey @mhroncok, Now that this is fixed and shipped I'd like to request a CVE for tracking. The fix landed in pyp2spec-0.14.1-1.fc45 and pyp2spec-0.14.1-1.fc42. Short recap of the issue: pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. CWE-94 / CWE-78. One thing worth flagging on impact: the macro evaluates during spec parsing, not only during the build step. Any rpm tool touching the generated spec triggers execution, rpmbuild -bs, rpmbuild --nobuild, rpm -q --specfile , so the victim doesn't need to commit to a full build before getting compromised. The realistic attack path is typosquatting or targeting a package known to be under Fedora review rather than drive-by publishing. Fedora packagers hold dist-git SSH keys, Koji build credentials, and Bodhi update credentials, so compromise of one packager's workstation enables committing malicious source to dist-git and riding it through the normal build pipeline to end users. For CVSS I'd suggest AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which comes out to 8.8 High. I'll leave the final impact rating to yall. Fix PR: https://github.com/befeleme/pyp2spec/pull/66 I have a Docker-based PoC, Let me know if anyone wants a copy. Thanks, Nick G.
sorry didnt tag correct , tagging correctly now: @mhroncok
FEDORA-2026-91671b8061 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-91671b8061` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-91671b8061 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-91671b8061 (pyp2spec-0.14.1-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.