On 2025-09-07 20:29:19, Salvatore Bonaccorso wrote: > Source: python-internetarchive > Version: 5.4.0-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for python-internetarchive. > > CVE-2025-58438[0]: > | internetarchive is a Python and Command-Line Interface to > | Archive.org In versions 5.5.0 and below, there is a directory > | traversal (path traversal) vulnerability in the File.download() > | method of the internetarchive library. The file.download() method > | does not properly sanitize user-supplied filenames or validate the > | final download path. A maliciously crafted filename could contain > | path traversal sequences (e.g., > | ../../../../windows/system32/file.txt) or illegal characters that, > | when processed, would cause the file to be written outside of the > | intended target directory. An attacker could potentially overwrite > | critical system files or application configuration files, leading to > | a denial of service, privilege escalation, or remote code execution, > | depending on the context in which the library is used. The > | vulnerability is particularly critical for users on Windows systems, > | but all operating systems are affected. This issue is fixed in > | version 5.5.1. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I have a upload ready for unstable already, changelog looks like this: python-internetarchive (5.5.1-1) unstable; urgency=high * new upstream release (Closes: #1114635, CVE-2025-58438) -- Antoine Beaupré <[email protected]> Mon, 08 Sep 2025 09:50:19 -0400 does that look sane? can i upload to unstable as is? i also wonder how to fix this in stable. we're only two versions behind upstream there (one minor, one major, and the security fix), so the diff is pretty darn small. The security patch for 5.5.1 is: 7 files changed, 302 insertions(+), 5 deletions(-) and the diff from 5.4.0 (stable) to 5.5.1 is: 21 files changed, 560 insertions(+), 88 deletions(-) Is it really worth just doing that backport? We'd be avoiding: > # 5.4.0 > > Features and Improvements > > Stop setting scanner on upload per policy change. > > Bugfixes > > Fixed bug where REMOVE_TAG was not working with indexed keys. > Fixed argument validation and option parsing in ia download. > > # 5.5.0 > > Features and Improvements > > Added --parameters option to ia metadata. ... feels like mostly small features and bugfixes to me... Thanks for the feedback, a. -- Le féminisme n'a jamais tué personne Le machisme tue tous les jours. - Benoîte Groulx
