GHSA-R35X-V8P8-XVHW
Vulnerability from github – Published: 2026-05-04 20:14 – Updated: 2026-05-13 13:39Impact
pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine.
The macro evaluates during spec parsing, not only during the build step. Any rpm tool touching the generated spec triggers execution, rpmbuild -bs, rpmbuild --nobuild, rpm -q --specfile, so the victim doesn't need to commit to a full build before getting compromised. The realistic attack path is typosquatting or targeting a package known to be under Fedora review rather than drive-by publishing. Fedora packagers hold dist-git SSH keys, Koji build credentials, and Bodhi update credentials, so compromise of one packager's workstation enables committing malicious source to dist-git and riding it through the normal build pipeline to end users.
Patches
Patched in 0.14.1.
Workarounds
None
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyp2spec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42301"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T20:14:38Z",
"nvd_published_at": "2026-05-09T04:16:25Z",
"severity": "HIGH"
},
"details": "### Impact\npyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine.\n\nThe macro evaluates during spec parsing, not only during the build step. Any rpm tool touching the generated spec triggers execution, `rpmbuild -bs`, `rpmbuild --nobuild`, `rpm -q --specfile`, so the victim doesn\u0027t need to commit to a full build before getting compromised. The realistic attack path is typosquatting or targeting a package known to be under Fedora review rather than drive-by publishing. Fedora packagers hold dist-git SSH keys, Koji build credentials, and Bodhi update credentials, so compromise of one packager\u0027s workstation enables committing malicious source to dist-git and riding it through the normal build pipeline to end users.\n\n### Patches\nPatched in 0.14.1.\n\n### Workarounds\nNone",
"id": "GHSA-r35x-v8p8-xvhw",
"modified": "2026-05-13T13:39:32Z",
"published": "2026-05-04T20:14:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42301"
},
{
"type": "PACKAGE",
"url": "https://github.com/befeleme/pyp2spec"
},
{
"type": "WEB",
"url": "https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "pyp2spec is Vulnerable to Code Injection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.