[CVE-2024-7592] Quadratic complexity parsing cookies with backslashes There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. [CVE-2024-8088] Infinite loop when iterating over zip archive entry names There is a HIGH severity vulnerability affecting the CPython "zipfile" module. When iterating over names of entries in a zip archive (for example, methods of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
cleanup done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=10ededaefbfe7287f3b9211907eacaeb27868e8a commit 10ededaefbfe7287f3b9211907eacaeb27868e8a Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2025-06-12 08:52:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2025-06-12 08:52:39 +0000 [ GLSA 202506-07 ] Python, PyPy: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/929045 Bug: https://bugs.gentoo.org/937124 Bug: https://bugs.gentoo.org/938432 Bug: https://bugs.gentoo.org/939206 Bug: https://bugs.gentoo.org/945845 Bug: https://bugs.gentoo.org/953493 Bug: https://bugs.gentoo.org/956682 Bug: https://bugs.gentoo.org/957088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202506-07.xml | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+)
