> The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/ > The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993 lists more: > gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms was fixed > gh-113659: .pth files with names starting with a dot or containing the hidden file attribute are now skipped > gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of bounds > gh-114572 1: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads
Sigh, looks like upstream announcement was wrong: zipfile fix is already present in 3.11.8 and 3.12.2. tempfile fix is already present in 3.11.8 and 3.12.1. Everything else, except for the SSLContext thing, also seems to be present in older versions. However, that one doesn't seem like a real security issue at a first glance.
cleanup done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=665ec86173a28118d28182d8381d593988f1adac commit 665ec86173a28118d28182d8381d593988f1adac Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-04 05:59:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-04 06:00:31 +0000 [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/884653 Bug: https://bugs.gentoo.org/897958 Bug: https://bugs.gentoo.org/908018 Bug: https://bugs.gentoo.org/912976 Bug: https://bugs.gentoo.org/919475 Bug: https://bugs.gentoo.org/927299 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+)