Hi Antoine, [Adding CC to [email protected]]
Apologies for the delay, we had other issues which needed more attention first. On Tue, Sep 09, 2025 at 01:58:33PM -0400, Antoine Beaupré wrote: > On 2025-09-08 10:00:13, Antoine Beaupré wrote: > > On 2025-09-07 20:29:19, Salvatore Bonaccorso wrote: > >> Source: python-internetarchive > >> Version: 5.4.0-1 > >> Severity: important > >> Tags: security upstream > >> X-Debbugs-Cc: [email protected], Debian Security Team > >> <[email protected]> > >> > >> Hi, > >> > >> The following vulnerability was published for python-internetarchive. > >> > >> CVE-2025-58438[0]: > >> | internetarchive is a Python and Command-Line Interface to > >> | Archive.org In versions 5.5.0 and below, there is a directory > >> | traversal (path traversal) vulnerability in the File.download() > >> | method of the internetarchive library. The file.download() method > >> | does not properly sanitize user-supplied filenames or validate the > >> | final download path. A maliciously crafted filename could contain > >> | path traversal sequences (e.g., > >> | ../../../../windows/system32/file.txt) or illegal characters that, > >> | when processed, would cause the file to be written outside of the > >> | intended target directory. An attacker could potentially overwrite > >> | critical system files or application configuration files, leading to > >> | a denial of service, privilege escalation, or remote code execution, > >> | depending on the context in which the library is used. The > >> | vulnerability is particularly critical for users on Windows systems, > >> | but all operating systems are affected. This issue is fixed in > >> | version 5.5.1. > >> > >> > >> If you fix the vulnerability please also make sure to include the > >> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > I have a upload ready for unstable already, changelog looks like this: > > > > python-internetarchive (5.5.1-1) unstable; urgency=high > > > > * new upstream release (Closes: #1114635, CVE-2025-58438) > > > > -- Antoine Beaupré <[email protected]> Mon, 08 Sep 2025 09:50:19 -0400 > > > > does that look sane? can i upload to unstable as is? > > So i've uploaded that to unstable already... > > > [...] > > > Is it really worth just doing that backport? We'd be avoiding: > > [...] > > > ... feels like mostly small features and bugfixes to me... > > Not having had any feedback on this, i've prepared a debdiff for a > simpler backport of the patch (as opposed to the whole upstream), see > the attachment. > > I am waiting on input from the security team before performing this > upload, as directed by: > > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#security-uploads > > i have not checked whether bookworm also needs a kick, i assume it > does, but the version there is far older and the backport will be much > more challenging. > > i would recommend dropping security support for that version. We had brief discussions about python-internetarchive in the team and think the issue might warrant a DSA. Could you prepare debdiffs for both trixie-security and bookworm-security (at least we should attempt, bookworm is still security-supported for another year by regular security support before moving to LTS)? https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security contains some additional hints (linked from your reference). I have added python-internetarchive to our dsa-needed list, so once we have debdiffs for review and ack, we can proceed. Regards, Salvatore
