Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 938432 (CVE-2024-7592, CVE-2024-8088)

Summary: <dev-lang/python-{3.8.19_p4,3.9.19_p5,3.10.14_p3,3.11.9_p2,3.12.4_p4,3.12.5_p1,3.13.0_rc1_p2}, <dev-python/pypy3_{9,10}-7.3.16_p2: Multiple vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 939207, 939208, 939209, 939279, 939283, 939863    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-08-24 06:47:50 UTC 
[CVE-2024-7592] Quadratic complexity parsing cookies with backslashes

There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value.


[CVE-2024-8088] Infinite loop when iterating over zip archive entry names

There is a HIGH severity vulnerability affecting the CPython "zipfile"
module.

When iterating over names of entries in a zip archive (for example, methods
of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc)
the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-10-05 08:28:48 UTC 
cleanup done