#1132609 poetry: CVE-2026-34591

Package:
src:poetry
Source:
src:poetry
Submitter:
Salvatore Bonaccorso
Date:
2026-06-22 09:21:00 UTC
Severity:
normal
Tags:
#1132609#5
Date:
2026-04-03 16:17:34 UTC
From:
To:
Hi,

The following vulnerability was published for poetry.

CVE-2026-34591[0]:
| Poetry is a dependency manager for Python. From version 1.4.0 to
| before version 2.3.3, a crafted wheel can contain ../ paths that
| Poetry writes to disk without containment checks, allowing arbitrary
| file write with the privileges of the Poetry process. It is
| reachable from untrusted package artifacts during normal install
| flows. (Normally, installing a malicious wheel is not sufficient for
| execution of malicious code. Malicious code will only be executed
| after installation if the malicious package is imported or invoked
| by the user.). This issue has been patched in version 2.3.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-34591
https://www.cve.org/CVERecord?id=CVE-2026-34591
[1] https://github.com/python-poetry/poetry/pull/10792
[2] https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp
[3] https://github.com/python-poetry/poetry/commit/e068177d1bfef65de4c55cf71c36de27057f10e7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1132609#12
Date:
2026-06-20 23:01:36 UTC
From:
To:
Dear maintainer,

I've prepared an NMU for poetry (versioned as 2.3.4-0.1) and uploaded
it to DELAYED/2. Please feel free to tell me if I should cancel it.

cu
Adrian
#1132609#21
Date:
2026-06-22 09:18:48 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
poetry, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132609@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated poetry package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 21 Jun 2026 00:00:28 +0300
Source: poetry
Architecture: source
Version: 2.3.4-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1132609
Changes:
 poetry (2.3.4-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - CVE-2026-34591: Wheel Path Traversal Leading to Arbitrary File Write
       (Closes: #1132609)
Checksums-Sha1:
 c9c63a0792b3aec6815df9ccb948678aa853e1bd 3230 poetry_2.3.4-0.1.dsc
 8497b386b5b86bbff6ede106bf4f3166d868c9f0 4120908 poetry_2.3.4.orig.tar.xz
 f1db7b419da4340e16d148933617f2b886f947fb 9660 poetry_2.3.4-0.1.debian.tar.xz
Checksums-Sha256:
 0f2ec6546e9931c4ffeb8380f676e640d53e66f83e561d14d29360e91a1a1fcf 3230 poetry_2.3.4-0.1.dsc
 51aaaa06d2ca843134fc188e23f5f4ac400eeafd4d73e967d03c7c9721a2ea96 4120908 poetry_2.3.4.orig.tar.xz
 16349696172a24aa33a40c05659cf8cac9aeb5b6f94e8629ec0cbf0498394dbb 9660 poetry_2.3.4-0.1.debian.tar.xz
Files:
 ce6985a057bba50a79dac83eb3eda46e 3230 python optional poetry_2.3.4-0.1.dsc
 ea3172f5d6e442b171627f89fb49dd6f 4120908 python optional poetry_2.3.4.orig.tar.xz
 c9ae0447a7d369ec2de9871923b8b11f 9660 python optional poetry_2.3.4-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo3F9gACgkQiNJCh6LY
mLEgsRAAq2W211kv0S93Sl5gWuyzr1SlozgY3e6j0oZO5RzbR4oC8A65+js8iD2J
vX4pjeEhrsHgeSdGJ8EdKm4MmcwR0ug8/n6e8G7UZvsG0LpsbZQXIjfdVzsNlsCk
IFiFBokawIVyTjIPri0AEJqYmaQwY48P7CYbKArnzR/D3dK2r2e4Jg/9BgzF/Bn4
eHvFJKNK0osp6V0FxFjkee3HO4O9vOXq/oKYtuLuMaKhiwNy28seRKRROBwnNNoJ
5O24aNZBkV2C4mu/P4XEPuqaTSIG5YGbJXUgg0AqaZGpvxVCVOVT7EL9yBWSdTwy
/Vy0WydM94mDN1la5zNbfXrch76vwWYIiYdeGhL/GStb5LcKe7Ed+sVk1CLSTqc0
u+5pwoIrLF0wasO6GFhZu7gbHQOUUicW6Kiqm3IcgwDDhi4WrMr0lQY/RtuKCMpy
pFnTrKa82QhA9U48RtzNrTimLyWZESNL5bmw22LUMdvVY/N3OvIXmsIV2QB99koZ
Xw7TsOEXipJYrQy4CxQQiFFB7/F2EnJpVV9g0TDdNJwvUZLWeVz41TH4KKfRlIew
itOs5zrnm4jWVRYa5SeaPs6qfbkEy7GoGzqvD1H2n45oDhpdjDhu8GHMR8OCWsMS
paotgtWudZqFH/Gk6YPu+AfC6Ks/9OCZCQ+rZ+xiKivD5BbX7Mc=
=iPBC
-----END PGP SIGNATURE-----