protobuf icon indicating copy to clipboard operation
protobuf copied to clipboard
Published 1 month ago verified publisher icon protocolbuffers

Python setuptools needs to be updated to 78.1.1 or later to address CVE-2025-47273

Open aaronmaxlevy opened this issue 8 months ago • 4 comments

CVE-2025-47273 is a high severity vulnerability in setuptools involving path traversal leading to arbitrary file writing.

Currently, protobuf is pinned to setuptools version 70.3.0 which is vulnerable. setuptools should be updated to 78.1.1 or later in order to address this.

aaronmaxlevy avatar Jun 09 '25 17:06 aaronmaxlevy

We cannot update in place without breaks. Do you have recommendations on what we should be migrating to?

jguamie avatar Jun 10 '25 17:06 jguamie

We cannot update in place without breaks. Do you have recommendations on what we should be migrating to?

So setuptools definitely should be updated, but the issue that is causing the build failure seems to be related to https://github.com/bazelbuild/bazel/issues/4327 and/or https://github.com/bazel-contrib/rules_python/issues/617 .

In theory, updating from Bazel 7.2.1 to 7.4.0 should fix this, except that I just tried that locally and it still didn't work. I will continue to look into this further, but essentially execroot/com_google_protobuf/external/protobuf_pip_deps_setuptools/site-packages/setuptools/_vendor/jaraco/text/Lorem ipsum.txt is missing because it isn't getting copied properly due to a space being present in the filename. This being despite the fact that in theory, this should work as of Bazel 7.4.0.

Definitely warrants further investigation

aaronmaxlevy avatar Jun 10 '25 18:06 aaronmaxlevy

Actually, @jguamie — updating Bazel to 7.4.0 may fix it after all. I just updated my PR with that change and hopefully the tests will run and have a better outcome than before (if not all passing) :)

Oddly, it was still erroring out on my Mac, but I tried building with 7.4.0 on a linux machine, and it was successful :)

aaronmaxlevy avatar Jun 10 '25 21:06 aaronmaxlevy

Ugh — scratch that, I can only get it working locally if I manually use the standalone spawn mode instead of sandboxed.

Seems like this is a newly discovered Bazel bug, so I filed https://github.com/bazelbuild/bazel/issues/26255 with them.

aaronmaxlevy avatar Jun 11 '25 03:06 aaronmaxlevy

I've added an sh_binary wrapper to my code as suggested by the Bazel team at https://github.com/bazelbuild/bazel/issues/26255#issuecomment-2967403701 . This change fixed the build locally for me, so I am optimistic that this will work, but we'll see if/when the tests run.

aaronmaxlevy avatar Jun 30 '25 17:06 aaronmaxlevy