7.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
wheel Allows Arbitrary File Permission Modification via Path Traversal
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
References
- https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx x_refsource_CONFIRM
- https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef x_refsource_MISC
- https://github.com/pypa/wheel/releases/tag/0.46.2 x_refsource_MISC
- https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx x_refsource_CONFIRM
- https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef x_refsource_MISC
- https://github.com/pypa/wheel/releases/tag/0.46.2 x_refsource_MISC
- https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx x_refsource_CONFIRM
- https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef x_refsource_MISC
- https://github.com/pypa/wheel/releases/tag/0.46.2 x_refsource_MISC
Affected products
- ==< 0.46.2
- ==>= 0.40.0, < 0.46.2
Matching in nixpkgs
pkgs.imwheel
Mouse wheel configuration tool for XFree86/Xorg
-
nixos-unstable 1.0.0pre12
- nixpkgs-unstable 1.0.0pre12
- nixos-unstable-small 1.0.0pre12
pkgs.auditwheel
Auditing and relabeling cross-distribution Linux wheels
pkgs.wheelwizard
WheelWizard, Retro Rewind Launcher
pkgs.flywheel-cli
Library and command line interface for interacting with a Flywheel site
pkgs.freewheeling
Live looping instrument with JACK and MIDI support
pkgs.unnaturalscrollwheels
Invert scroll direction for physical scroll wheels
pkgs.python312Packages.wheel
Built-package format for Python
pkgs.python313Packages.wheel
Built-package format for Python
pkgs.haskellPackages.timer-wheel
A timer wheel
pkgs.python312Packages.auditwheel
Auditing and relabeling cross-distribution Linux wheels
pkgs.python313Packages.auditwheel
Auditing and relabeling cross-distribution Linux wheels
pkgs.rxvt-unicode-plugins.vtwheel
Pass mouse wheel commands to secondary screens (screen, less, nano, etc)
pkgs.python312Packages.wheel-inspect
Extract information from wheels
pkgs.python313Packages.wheel-inspect
Extract information from wheels
pkgs.python312Packages.wheel-filename
Parse wheel filenames
pkgs.python313Packages.wheel-filename
Parse wheel filenames
pkgs.python312Packages.wheelUnpackHook
None
pkgs.python313Packages.wheelUnpackHook
None
pkgs.python312Packages.sqlcipher3-wheels
Python 3 bindings for SQLCipher
-
nixos-unstable sqlcipher3-wheels-0.5.4
- nixpkgs-unstable sqlcipher3-wheels-0.5.4
- nixos-unstable-small sqlcipher3-wheels-0.5.4
pkgs.python313Packages.sqlcipher3-wheels
Python 3 bindings for SQLCipher
-
nixos-unstable sqlcipher3-wheels-0.5.4
- nixpkgs-unstable sqlcipher3-wheels-0.5.4
- nixos-unstable-small sqlcipher3-wheels-0.5.4
pkgs.python312Packages.home-assistant-chip-wheels
Python wheels for APIs and tools related to CHIP
pkgs.python313Packages.home-assistant-chip-wheels
Python wheels for APIs and tools related to CHIP
Package maintainers
-
@DavHau David Hauer <d.hauer.it@gmail.com>
-
@rbreslow Rocky Breslow
-
@sepi Raffael Mancini <raffael@mancini.lu>
-
@jhillyerd James Hillyerd <james+nixos@hillyerd.com>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@siriobalmelli Sirio Balmelli <sirio@b-ad.ch>
-
@hafiz Ayaz Hafiz <ayaz.hafiz.1@gmail.com>
-
@emilytrau Emily Trau <emily+nix@downunderctf.com>
-
@danbst Danylo Hlynskyi <abcz2.uprola@gmail.com>
-
@DerHalbGrieche Vasilis Manetas <vasilis12.manetas@gmail.com>