Advisories for Pypi/PyInstaller package

Due to a special entry being appended to sys.path during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry is still present in sys.path, an application built with PyInstaller < 6.0.0 may be tricked by an unprivileged attacker into executing arbitrary python code when all of the following conditions are met: Application is built …

A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. A user is affected if all the following are satisfied:

Local Privilege Escalation in all Windows software frozen by PyInstaller in "onefile" mode. The vulnerability is present only on Windows and in this particular case: If a software frozen by PyInstaller in "onefile" mode is launched by a (privileged) user who has his/her "TempPath" resolving to a world writable directory. This is the case e.g. if the software is launched as a service or as a scheduled task using a …