On 2025-09-08 10:00:13, Antoine Beaupré wrote: > On 2025-09-07 20:29:19, Salvatore Bonaccorso wrote: >> Source: python-internetarchive >> Version: 5.4.0-1 >> Severity: important >> Tags: security upstream >> X-Debbugs-Cc: [email protected], Debian Security Team >> <[email protected]> >> >> Hi, >> >> The following vulnerability was published for python-internetarchive. >> >> CVE-2025-58438[0]: >> | internetarchive is a Python and Command-Line Interface to >> | Archive.org In versions 5.5.0 and below, there is a directory >> | traversal (path traversal) vulnerability in the File.download() >> | method of the internetarchive library. The file.download() method >> | does not properly sanitize user-supplied filenames or validate the >> | final download path. A maliciously crafted filename could contain >> | path traversal sequences (e.g., >> | ../../../../windows/system32/file.txt) or illegal characters that, >> | when processed, would cause the file to be written outside of the >> | intended target directory. An attacker could potentially overwrite >> | critical system files or application configuration files, leading to >> | a denial of service, privilege escalation, or remote code execution, >> | depending on the context in which the library is used. The >> | vulnerability is particularly critical for users on Windows systems, >> | but all operating systems are affected. This issue is fixed in >> | version 5.5.1. >> >> >> If you fix the vulnerability please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > I have a upload ready for unstable already, changelog looks like this: > > python-internetarchive (5.5.1-1) unstable; urgency=high > > * new upstream release (Closes: #1114635, CVE-2025-58438) > > -- Antoine Beaupré <[email protected]> Mon, 08 Sep 2025 09:50:19 -0400 > > does that look sane? can i upload to unstable as is?
So i've uploaded that to unstable already... [...] > Is it really worth just doing that backport? We'd be avoiding: [...] > ... feels like mostly small features and bugfixes to me... Not having had any feedback on this, i've prepared a debdiff for a simpler backport of the patch (as opposed to the whole upstream), see the attachment. I am waiting on input from the security team before performing this upload, as directed by: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#security-uploads i have not checked whether bookworm also needs a kick, i assume it does, but the version there is far older and the backport will be much more challenging. i would recommend dropping security support for that version. a. -- Premature optimization is the root of all evil - Donald Knuth
