Version in base suite: 66.1.1-1+deb12u1

Base version: setuptools_66.1.1-1+deb12u1
Target version: setuptools_66.1.1-1+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/setuptools/setuptools_66.1.1-1+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/setuptools/setuptools_66.1.1-1+deb12u2.dsc

 changelog                    |    8 ++++++++
 patches/CVE-2025-47273.patch |   13 +++++++++++++
 patches/series               |    1 +
 3 files changed, 22 insertions(+)

diff -Nru setuptools-66.1.1/debian/changelog setuptools-66.1.1/debian/changelog
--- setuptools-66.1.1/debian/changelog	2024-12-31 00:08:15.000000000 +0000
+++ setuptools-66.1.1/debian/changelog	2025-05-27 11:43:25.000000000 +0000
@@ -1,3 +1,11 @@
+setuptools (66.1.1-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS team.
+  * Fix CVE-2025-47273:
+    - Path traversal in PackageIndex.download leads to Arbitrary File Write
+
+ -- Lee Garrett <debian@rocketjump.eu>  Tue, 27 May 2025 13:43:25 +0200
+
 setuptools (66.1.1-1+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload by the Debian LTS team.
diff -Nru setuptools-66.1.1/debian/patches/CVE-2025-47273.patch setuptools-66.1.1/debian/patches/CVE-2025-47273.patch
--- setuptools-66.1.1/debian/patches/CVE-2025-47273.patch	1970-01-01 00:00:00.000000000 +0000
+++ setuptools-66.1.1/debian/patches/CVE-2025-47273.patch	2025-05-27 11:43:25.000000000 +0000
@@ -0,0 +1,13 @@
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -829,6 +829,10 @@
+ 
+         filename = os.path.join(tmpdir, name)
+ 
++        # ensure path resolves within the tmpdir
++        if not filename.startswith(str(tmpdir)):
++            raise ValueError(f"Invalid filename {filename}")
++
+         return self._download_vcs(url, filename) or self._download_other(url, filename)
+ 
+     @staticmethod
diff -Nru setuptools-66.1.1/debian/patches/series setuptools-66.1.1/debian/patches/series
--- setuptools-66.1.1/debian/patches/series	2024-12-31 00:08:15.000000000 +0000
+++ setuptools-66.1.1/debian/patches/series	2025-05-27 11:43:25.000000000 +0000
@@ -15,3 +15,4 @@
 no-sphinx-custom-icons.diff
 no-sphinx-hoverxref.diff
 CVE-2024-6345.patch
+CVE-2025-47273.patch