pyinstaller@3.2.1 vulnerabilities

PyInstaller bundles a Python application and all its dependencies into a single package.

Direct Vulnerabilities

Known vulnerabilities in the pyinstaller package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Race Condition

pyinstaller is a package that bundles a Python application and all its dependencies into a single package

Affected versions of this package are vulnerable to Race Condition when processes are spawned concurrently from multiple threads. This issue particularly affects the "spawn" method of multiprocessing, which is not thread-safe on Linux.

Note

This only affects Linux users.

How to fix Race Condition?

Upgrade pyinstaller to version 5.8.0 or higher.

[,5.8.0)
  • M
Execution with Unnecessary Privileges

pyinstaller is a package that bundles a Python application and all its dependencies into a single package

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges. When the tempfile.mkdtemp function is used, it creates a temporary directory that should only be accessible by the creating user ID. However, on Windows systems, the 0o700 POSIX permissions mask has no effect, leading to potential security issues. An attacker with local access can interfere with the application by modifying the contents of the temporary directory if it is located in a system-wide location and the application is running in privileged mode with developer mode enabled. This is only exploitable if the temporary directory base is relocated to a system-wide location (e.g., c:\temp) and developer mode is enabled on the system.

How to fix Execution with Unnecessary Privileges?

Upgrade pyinstaller to version 5.13.1 or higher.

[,5.13.1)
  • H
Execution with Unnecessary Privileges

pyinstaller is a package that bundles a Python application and all its dependencies into a single package

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges. On Windows only, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).

How to fix Execution with Unnecessary Privileges?

Upgrade pyinstaller to version 3.6 or higher.

[,3.6)