We encountered an issue when running python scripts provided by
python3-fail2ban. The shebang '#!/usr/bin/env python3' was replaced by
'#!python', which caused these scripts to fail to run.
For example:
$ head -n 1 /usr/bin/fail2ban-testcases
#!python
$ /usr/bin/fail2ban-testcases
-sh: /usr/bin/fail2ban-testcases: cannot execute: required file not found
This issue was introduced by commit[1] in python3-setuptools 75.3.2. See
the upstream issue report[2] for more information.
Backport patches from [3] to fix this issue.
[1] c71266345c
[2] https://github.com/pypa/setuptools/issues/4934
[3] https://github.com/pypa/distutils/pull/358
(From OE-Core rev: d728ec95291f05cbfb436eabe8717ebe9a0dc11d)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
setuptools is a package that allows users to download, build, install,
upgrade, and uninstall Python packages. A path traversal vulnerability
in `PackageIndex` is present in setuptools prior to version 78.1.1. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code,
which could escalate to remote code execution depending on the context.
Version 78.1.1 fixes the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47273
Upstream-patch:
d8390feaa9250a6d1797
(From OE-Core rev: cfb2d77f841ae21cae0ba7d6263dc3e1e0280400)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
