Skip to content

Update dependency pyinstaller to v6 [SECURITY] #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Update dependency pyinstaller to v6 [SECURITY] #244

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Change Age Confidence
pyinstaller (source, changelog) ^4.1 -> ^6.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2023-49797

Impact

A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to.

A user is affected if all the following are satisfied:

  • The user runs an application containing either matplotlib or win32com.
  • The application is ran as administrator (or at least a user with higher privileges than the attacker).
  • The user's temporary directory is not locked to that specific user (most likely due to TMP/TEMP environment variables pointing to an unprotected, arbitrary, non default location).
  • Either:
    • The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between shutil.rmtree()'s builtin symlink check and the deletion itself
    • The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links

Patches

The vulnerability has been addressed in https://github.com/pyinstaller/pyinstaller/pull/7827 which corresponds to pyinstaller >= 5.13.1

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No workaround, although the attack complexity becomes much higher if the application is built with Python >= 3.8.0.

CVE-2025-59042

Impact

Due to a special entry being appended to sys.path during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry is still present in sys.path, an application built with PyInstaller < 6.0.0 may be tricked by an unprivileged attacker into executing arbitrary python code when all of the following conditions are met:

  1. Application is built with PyInstaller < 6.0.0; both onedir and onefile mode are affected.
  2. Optional bytecode encryption code feature was not enabled during the application build.
  3. The attacker can create files/directories in the same directory where the executable is located.
  4. The filesystem supports creation of files/directories that contain ? in their name (i.e., non-Windows systems).
  5. The attacker is able to determine the offset at which the PYZ archive is embedded in the executable.

The attacker can create a directory (or a zip archive) next to the executable, with the name that matches the format used by PyInstaller's bootloader to transmit information about the location of PYZ archive to the bootstrap script. If this directory (or zip archive) contains a python module whose name matches the name used by the optional bytecode encryption feature, this module will be loaded and executed by the bootstrap script (in the absence of the real, built-in module that is available when the bytecode-encryption feature is enabled). This results in arbitrary code execution that requires no modification of the executable itself.

If the executable is running with elevated privileges (for example, due to having the setuid bit set), the code in the injected module is also executed with the said elevated privileges, resulting in a local privilege escalation.

Patches

PyInstaller 6.0.0 (f5adf291c8b832d5aff7632844f7e3ddf7ad4923) removed support for bytecode encryption; this effectively removes the described attack vector, due to the bootstrap script not attempting to load the optional module for bytecode-decryption anymore.

PyInstaller 6.10.0 (cfd60b510f95f92cb81fc42735c399bb781a4739) reworked the bootstrap process to avoid (ab)using sys.path for transmitting location of the PYZ archive, which further eliminates the possibility of described injection procedure.

Workarounds

If upgrading PyInstaller is no feasible, this issue can be worked around by ensuring proper permissions on directories containing security-sensitive executables (i.e., executables with setuid bit set) should mitigate the issue.

Release Notes

pyinstaller/pyinstaller (pyinstaller)

v6.0.0

Compare Source

Please see the v6.0.0 section of the changelog for a list of the changes since v5.13.2.

v5.13.2

Compare Source

Please see the v5.13.2 section of the changelog for a list of the changes since v5.13.1.

v5.13.1

Compare Source

Please see the v5.13.1 section of the changelog for a list of the changes since v5.13.0. Note that this is a bugfix only release. It's primary purpose is to publish #​7827.

v5.13.0

Compare Source

Please see the v5.13.0 section of the changelog for a list of the changes since v5.12.0.

Note that this is intended to be the last v5.x release. v6.0 will contain breaking changes from #​7619, #​7713 and #​6999. If you want to avoid unexpected disruption, you may wish to pin pyinstaller (e.g. pip install "pyinstaller<6").

v5.12.0

Compare Source

Please see the v5.12.0 section of the changelog for a list of the changes since v5.11.0.

v5.11.0

Compare Source

Please see the v5.11.0 section of the changelog for a list of the changes since v5.10.1.

v5.10.1

Compare Source

Please see the v5.10.1 section of the changelog for a list of the changes since v5.10.0.

v5.10.0

Compare Source

Please see the v5.10.0 section of the changelog for a list of the changes since v5.9.0.

v5.9.0

Compare Source

Please see the v5.9.0 section of the changelog for a list of the changes since v5.8.0.

v5.8.0

Compare Source

Please see the v5.8.0 section of the changelog for a list of the changes since v5.7.0.

v5.7.0

Compare Source

Please see the v5.7.0 section of the changelog for a list of the changes since v5.6.2.

v5.6.2

Compare Source

Please see the v5.6.2 section of the changelog for a list of the changes since v5.6.1.

v5.6.1

Compare Source

Please see the v5.6.1 section of the changelog for a list of the changes since v5.6.

v5.6

Compare Source

Please see the v5.6 section of the changelog for a list of the changes since v5.5.

v5.5

Compare Source

Please see the v5.5 section of the changelog for a list of the changes since v5.4.1.

v5.4.1

Compare Source

Please see the v5.4.1 section of the changelog for a list of the changes since v5.4.

v5.4

Compare Source

Please see the v5.4 section of the changelog for a list of the changes since v5.3.

v5.3

Compare Source

Please see the v5.3 section of the changelog for a list of the changes since v5.2.

v5.2

Compare Source

Please see the v5.2 section of the changelog for a list of the changes since v5.1.

v5.1

Compare Source

Please see the v5.1 section of the changelog for a list of the changes.

v5.0.1

Compare Source

v5.0

Compare Source

Please see the v5.0 section of the changelog for a list of the changes since v4.10.

v4.10

Compare Source

Please see the v4.10 section of the changelog for a list of the changes since v4.9.

v4.9

Compare Source

Please see the v4.9 section of the changelog for a list of the changes since v4.8.

v4.8

Compare Source

Please see the v4.8 section of the changelog for a list of the changes since v4.7.

v4.7

Compare Source

Please see the v4.7 section of the changelog for a list of the changes since v4.6.

v4.6

Compare Source

Please see the v4.6 section of the changelog for a list of the changes since v4.5.1.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Aug 6, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock
Updating dependencies
Resolving dependencies...

Creating virtualenv chachacha-vpBd-76_-py3.13 in /home/ubuntu/.cache/pypoetry/virtualenvs

The current project's Python requirement (>=3.8,<4.0) is not compatible with some of the required packages Python requirement:
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.13,>=3.8, so it will not be satisfied for Python >=3.13,<4.0
  - pyinstaller requires Python <3.14,>=3.8, so it will not be satisfied for Python >=3.14,<4.0
  - pyinstaller requires Python <3.14,>=3.8, so it will not be satisfied for Python >=3.14,<4.0
  - pyinstaller requires Python <3.14,>=3.8, so it will not be satisfied for Python >=3.14,<4.0
  - pyinstaller requires Python <3.14,>=3.8, so it will not be satisfied for Python >=3.14,<4.0
  - pyinstaller requires Python <3.14,>=3.8, so it will not be satisfied for Python >=3.14,<4.0
  - pyinstaller requires Python <3.14,>=3.8, so it will not be satisfied for Python >=3.14,<4.0
  - pyinstaller requires Python <3.14,>=3.8, so it will not be satisfied for Python >=3.14,<4.0
  - pyinstaller requires Python <3.14,>=3.8, so it will not be satisfied for Python >=3.14,<4.0
  - pyinstaller requires Python <3.15,>=3.8, so it will not be satisfied for Python >=3.15,<4.0

Because no versions of pyinstaller match >6.0.0,<6.1.0 || >6.1.0,<6.2.0 || >6.2.0,<6.3.0 || >6.3.0,<6.4.0 || >6.4.0,<6.5.0 || >6.5.0,<6.6.0 || >6.6.0,<6.7.0 || >6.7.0,<6.8.0 || >6.8.0,<6.9.0 || >6.9.0,<6.10.0 || >6.10.0,<6.11.0 || >6.11.0,<6.11.1 || >6.11.1,<6.12.0 || >6.12.0,<6.13.0 || >6.13.0,<6.14.0 || >6.14.0,<6.14.1 || >6.14.1,<6.14.2 || >6.14.2,<6.15.0 || >6.15.0,<7.0.0
 and pyinstaller (6.0.0) requires Python <3.13,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.1.0) requires Python <3.13,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.2.0) requires Python <3.13,>=3.8
 and pyinstaller (6.3.0) requires Python <3.13,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.4.0) requires Python <3.13,>=3.8
 and pyinstaller (6.5.0) requires Python <3.13,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.6.0) requires Python <3.13,>=3.8
 and pyinstaller (6.7.0) requires Python <3.13,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.8.0) requires Python <3.13,>=3.8
 and pyinstaller (6.9.0) requires Python <3.13,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.10.0) requires Python <3.14,>=3.8
 and pyinstaller (6.11.0) requires Python <3.14,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.11.1) requires Python <3.14,>=3.8
 and pyinstaller (6.12.0) requires Python <3.14,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.13.0) requires Python <3.14,>=3.8
 and pyinstaller (6.14.0) requires Python <3.14,>=3.8, pyinstaller is forbidden.
And because pyinstaller (6.14.1) requires Python <3.14,>=3.8
 and pyinstaller (6.14.2) requires Python <3.14,>=3.8, pyinstaller is forbidden.
So, because pyinstaller (6.15.0) requires Python <3.15,>=3.8
 and chachacha depends on pyinstaller (^6.0.0), version solving failed.

  • Check your dependencies Python requirement: The Python requirement can be specified via the `python` or `markers` properties
    
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.13"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.14"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.14"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.14"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.14"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.14"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.14"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.14"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.14"
    For pyinstaller, a possible solution would be to set the `python` property to ">=3.8,<3.15"

    https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies,
    https://python-poetry.org/docs/dependency-specification/#using-environment-markers

@renovate renovate bot force-pushed the renovate/pypi-pyinstaller-vulnerability branch from 8e912ce to 599a572 Compare September 10, 2025 21:53
@renovate renovate bot changed the title Update dependency pyinstaller to v5 [SECURITY] Update dependency pyinstaller to v6 [SECURITY] Sep 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants