Update dependency pyinstaller to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pyinstaller (source)	^4.1 -> ^5.0.0

GitHub Vulnerability Alerts

CVE-2023-49797

Impact

A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to.

A user is affected if all the following are satisfied:

• The user runs an application containing either matplotlib or win32com.
• The application is ran as administrator (or at least a user with higher privileges than the attacker).
• The user's temporary directory is not locked to that specific user (most likely due to TMP/TEMP environment variables pointing to an unprotected, arbitrary, non default location).
• Either:
  • The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between shutil.rmtree()'s builtin symlink check and the deletion itself
  • The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links

Patches

The vulnerability has been addressed in https://github.com/pyinstaller/pyinstaller/pull/7827 which corresponds to pyinstaller >= 5.13.1

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No workaround, although the attack complexity becomes much higher if the application is built with Python >= 3.8.0.

---

Release Notes

pyinstaller/pyinstaller (pyinstaller)

v5.13.1

Compare Source

Please see the v5.13.1 section of the changelog for a list of the changes since v5.13.0. Note that this is a bugfix only release. It's primary purpose is to publish https://github.com/pyinstaller/pyinstaller/pull/7827.

v5.13.0

Compare Source

Please see the v5.13.0 section of the changelog for a list of the changes since v5.12.0.

Note that this is intended to be the last v5.x release. v6.0 will contain breaking changes from #​7619, #​7713 and #​6999. If you want to avoid unexpected disruption, you may wish to pin pyinstaller (e.g. pip install "pyinstaller<6").

v5.12.0

Compare Source

Please see the v5.12.0 section of the changelog for a list of the changes since v5.11.0.

v5.11.0

Compare Source

Please see the v5.11.0 section of the changelog for a list of the changes since v5.10.1.

v5.10.1

Compare Source

Please see the v5.10.1 section of the changelog for a list of the changes since v5.10.0.

v5.10.0

Compare Source

Please see the v5.10.0 section of the changelog for a list of the changes since v5.9.0.

v5.9.0

Compare Source

Please see the v5.9.0 section of the changelog for a list of the changes since v5.8.0.

v5.8.0

Compare Source

Please see the v5.8.0 section of the changelog for a list of the changes since v5.7.0.

v5.7.0

Compare Source

Please see the v5.7.0 section of the changelog for a list of the changes since v5.6.2.

v5.6.2

Compare Source

Please see the v5.6.2 section of the changelog for a list of the changes since v5.6.1.

v5.6.1

Compare Source

Please see the v5.6.1 section of the changelog for a list of the changes since v5.6.

v5.6

Compare Source

Please see the v5.6 section of the changelog for a list of the changes since v5.5.

v5.5

Compare Source

Please see the v5.5 section of the changelog for a list of the changes since v5.4.1.

v5.4.1

Compare Source

Please see the v5.4.1 section of the changelog for a list of the changes since v5.4.

v5.4

Compare Source

Please see the v5.4 section of the changelog for a list of the changes since v5.3.

v5.3

Compare Source

Please see the v5.3 section of the changelog for a list of the changes since v5.2.

v5.2

Compare Source

Please see the v5.2 section of the changelog for a list of the changes since v5.1.

v5.1

Compare Source

Please see the v5.1 section of the changelog for a list of the changes.

v5.0.1

Compare Source

v5.0

Compare Source

Please see the v5.0 section of the changelog for a list of the changes since v4.10.

v4.10

Compare Source

Please see the v4.10 section of the changelog for a list of the changes since v4.9.

v4.9

Compare Source

Please see the v4.9 section of the changelog for a list of the changes since v4.8.

v4.8

Compare Source

Please see the v4.8 section of the changelog for a list of the changes since v4.7.

v4.7

Compare Source

Please see the v4.7 section of the changelog for a list of the changes since v4.6.

v4.6

Compare Source

Please see the v4.6 section of the changelog for a list of the changes since v4.5.1.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Updating dependencies
Resolving dependencies...


The current project's Python requirement (>=3.8,<4.0) is not compatible with some of the required packages Python requirement:
  - pyinstaller requires Python <3.11,>=3.7, so it will not be satisfied for Python >=3.11,<4.0
  - pyinstaller requires Python <3.11,>=3.7, so it will not be satisfied for Python >=3.11,<4.0
  - pyinstaller requires Python <3.11,>=3.7, so it will not be satisfied for Python >=3.11,<4.0
  - pyinstaller requires Python <3.11,>=3.7, so it will not be satisfied for Python >=3.11,<4.0
  - pyinstaller requires Python <3.11,>=3.7, so it will not be satisfied for Python >=3.11,<4.0
  - pyinstaller requires Python <3.11,>=3.7, so it will not be satisfied for Python >=3.11,<4.0
  - pyinstaller requires Python <3.11,>=3.7, so it will not be satisfied for Python >=3.11,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.12,>=3.7, so it will not be satisfied for Python >=3.12,<4.0
  - pyinstaller requires Python <3.13,>=3.7, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.7, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.7, so it will not be satisfied for Python >=3.13,<4.0

Because no versions of pyinstaller match >5.0.0,<5.0.1 || >5.0.1,<5.1 || >5.1,<5.2 || >5.2,<5.3 || >5.3,<5.4 || >5.4,<5.4.1 || >5.4.1,<5.5 || >5.5,<5.6 || >5.6,<5.6.1 || >5.6.1,<5.6.2 || >5.6.2,<5.7.0 || >5.7.0,<5.8.0 || >5.8.0,<5.9.0 || >5.9.0,<5.10.0 || >5.10.0,<5.10.1 || >5.10.1,<5.11.0 || >5.11.0,<5.12.0 || >5.12.0,<5.13.0 || >5.13.0,<5.13.1 || >5.13.1,<5.13.2 || >5.13.2,<6.0.0
 and pyinstaller (5.0) requires Python <3.11,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.0.1) requires Python <3.11,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.1) requires Python <3.11,>=3.7
 and pyinstaller (5.2) requires Python <3.11,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.3) requires Python <3.11,>=3.7
 and pyinstaller (5.4) requires Python <3.11,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.4.1) requires Python <3.11,>=3.7
 and pyinstaller (5.5) requires Python <3.12,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.6) requires Python <3.12,>=3.7
 and pyinstaller (5.6.1) requires Python <3.12,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.6.2) requires Python <3.12,>=3.7
 and pyinstaller (5.7.0) requires Python <3.12,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.8.0) requires Python <3.12,>=3.7
 and pyinstaller (5.9.0) requires Python <3.12,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.10.0) requires Python <3.12,>=3.7
 and pyinstaller (5.10.1) requires Python <3.12,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.11.0) requires Python <3.12,>=3.7
 and pyinstaller (5.12.0) requires Python <3.12,>=3.7, pyinstaller is forbidden.
And because pyinstaller (5.13.0) requires Python <3.13,>=3.7
 and pyinstaller (5.13.1) requires Python <3.13,>=3.7, pyinstaller is forbidden.
So, because pyinstaller (5.13.2) requires Python <3.13,>=3.7
 and chachacha depends on pyinstaller (^5.0.0), version solving failed.

  • Check your dependencies Python requirement: The Python requirement can be specified via the `python` or `markers` properties
    
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.11"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.11"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.11"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.11"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.11"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.11"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.11"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.12"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"

    https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies,
    https://python-poetry.org/docs/dependency-specification/#using-environment-markers