Fabre

#1114635 python-internetarchive: CVE-2025-58438: Directory Traversal in File.download() #1114635

Package:: src:python-internetarchive

Source:: src:python-internetarchive

Submitter:: Salvatore Bonaccorso

Date:: 2025-09-18 20:01:02 UTC

Severity:: normal

Tags:

#1114635#5

Date:: 2025-09-07 18:29:19 UTC

From:

To:

Hi,

The following vulnerability was published for python-internetarchive.

CVE-2025-58438[0]:
| internetarchive is a Python and Command-Line Interface to
| Archive.org In versions 5.5.0 and below, there is a directory
| traversal (path traversal) vulnerability in the File.download()
| method of the internetarchive library. The file.download() method
| does not properly sanitize user-supplied filenames or validate the
| final download path. A maliciously crafted filename could contain
| path traversal sequences (e.g.,
| ../../../../windows/system32/file.txt) or illegal characters that,
| when processed, would cause the file to be written outside of the
| intended target directory. An attacker could potentially overwrite
| critical system files or application configuration files, leading to
| a denial of service, privilege escalation, or remote code execution,
| depending on the context in which the library is used.  The
| vulnerability is particularly critical for users on Windows systems,
| but all operating systems are affected. This issue is fixed in
| version 5.5.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-58438
https://www.cve.org/CVERecord?id=CVE-2025-58438
[1] https://github.com/jjjake/internetarchive/security/advisories/GHSA-wx3r-v6h7-frjp
[2] https://github.com/jjjake/internetarchive/commit/cba2d459e10a9489fb35caeba0b03e80f5f5d7c2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1114635#10

Date:: 2025-09-08 14:00:13 UTC

From:

To:

I have a upload ready for unstable already, changelog looks like this:

python-internetarchive (5.5.1-1) unstable; urgency=high

  * new upstream release (Closes: #1114635, CVE-2025-58438)


... feels like mostly small features and bugfixes to me...

Thanks for the feedback,

a.

#1114635#13

Date:: 2025-09-09 17:21:30 UTC

From:

To:

Hello,

Bug #1114635 in python-internetarchive reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/packages/python-internetarchive/-/commit/c0eb900462f525af738ce1a33cd0349af4b60e1b
------------------------------------------------------------------------
prepare new upstream release (Closes: #1114635, CVE-2025-58438)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1114635

#1114635#20

Date:: 2025-09-09 17:36:05 UTC

From:

To:

We believe that the bug you reported is fixed in the latest version of
python-internetarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1114635@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated python-internetarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 08 Sep 2025 09:50:19 -0400
Source: python-internetarchive
Architecture: source
Version: 5.5.1-1
Distribution: unstable
Urgency: high
Maintainer: Antoine Beaupré <anarcat@debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Closes: 1114635
Changes:
 python-internetarchive (5.5.1-1) unstable; urgency=high
 .
   * new upstream release (Closes: #1114635, CVE-2025-58438)
Checksums-Sha1:
 58ba594ee8cdf3ba8734dc663d96ed1645b6be93 1653 python-internetarchive_5.5.1-1.dsc
 dbf0d32b74ae06f731fa6ee0470e855fa407029e 157765 python-internetarchive_5.5.1.orig.tar.gz
 05b7452362804675cef5ec510a5bcb7b8bb60317 13588 python-internetarchive_5.5.1-1.debian.tar.xz
 8c9de1831bbeb850ccecc664aacb299aff47bfcc 7044 python-internetarchive_5.5.1-1_amd64.buildinfo
Checksums-Sha256:
 71355a660ad4264e1515b23635ce32309047e34cbb3385f12f4e5214590ed4de 1653 python-internetarchive_5.5.1-1.dsc
 01ea8fb7a2fb9fbec2ee994594e4b746d3224c81928f9f3b830153c6d4a074c5 157765 python-internetarchive_5.5.1.orig.tar.gz
 4f8a1496958861b44ec95fab126f5e7da35f0fe5e5da0ce7ce94a3d57851d26e 13588 python-internetarchive_5.5.1-1.debian.tar.xz
 4c7d9f559662d2afb56680c2c8022ddc3bbbdf29fe17dc2046ecc280a8d4a0f5 7044 python-internetarchive_5.5.1-1_amd64.buildinfo
Files:
 f892400923580cda677249dc7cb8ad34 1653 python optional python-internetarchive_5.5.1-1.dsc
 f2b3392040a73c13dd3bb43f8b4e840b 157765 python optional python-internetarchive_5.5.1.orig.tar.gz
 8eda55b1ce3eb932ee03bfb184d8c77d 13588 python optional python-internetarchive_5.5.1-1.debian.tar.xz
 37d5e56fb9fbe892ccd013fb8442bedb 7044 python optional python-internetarchive_5.5.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQS7ts1MmNdOE1inUqYCKTpvpOU0cwUCaMBh1gAKCRACKTpvpOU0
c/iFAQDJr1XFkQjAVknqIqQ+xw/3bxZQkYlbbr3+p0EIuiwD0gD/V5P4RA0cA2RB
tNgMdkND7OAMpmOSxBYkXejdSKTTigc=
=+QRY
-----END PGP SIGNATURE-----

#1114635#25

Date:: 2025-09-09 17:58:33 UTC

From:

To:

So i've uploaded that to unstable already...


[...]

[...]

Not having had any feedback on this, i've prepared a debdiff for a
simpler backport of the patch (as opposed to the whole upstream), see
the attachment.

I am waiting on input from the security team before performing this
upload, as directed by:

https://www.debian.org/doc/manuals/developers-reference/pkgs.html#security-uploads

i have not checked whether bookworm also needs a kick, i assume it
does, but the version there is far older and the backport will be much
more challenging.

i would recommend dropping security support for that version.

a.

#1114635#30

Date:: 2025-09-11 20:04:03 UTC

From:

To:

Hi Antoine,

[Adding CC to team@security.debian.org]

Apologies for the delay, we had other issues which needed more
attention first.

We had brief discussions about python-internetarchive in the team and
think the issue might warrant a DSA.

Could you prepare debdiffs for both trixie-security and
bookworm-security (at least we should attempt, bookworm is still
security-supported for another year by regular security support
before moving to LTS)?

https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
contains some additional hints (linked from your reference).

I have added python-internetarchive to our dsa-needed list, so once we
have debdiffs for review and ack, we can proceed.

Regards,
Salvatore

#1114635#35

Date:: 2025-09-15 19:14:30 UTC

From:

To:

np.

[...]

Here you go! Let's see if I can still do this...

a.

#1114635#40

Date:: 2025-09-18 19:59:52 UTC

From:

To:

Thanks, I'll review the patches tomorrow.

Cheers,
        Moritz

#1114635 python-internetarchive: CVE-2025-58438: Directory Traversal in File.download() #1114635

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)