An update for python-asteval is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1297 Final 1.0 1.0 2025-03-21 Initial 2025-03-21 2025-03-21 openEuler SA Tool V1.0 2025-03-21 python-asteval security update An update for python-asteval is now available for openEuler-24.03-LTS-SP1 ASTEVAL provides a numpy-aware, safe(ish) 'eval' function Emphasis is on mathematical expressions, and so numpy ufuncs are used if available. Symbols are held in the Interpreter symbol table 'symtable': a simple dictionary supporting a simple, flat namespace. Expressions can be compiled into ast node for later evaluation, using the values in the symbol table current at evaluation time. Security Fix(es): ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.(CVE-2025-24359) An update for python-asteval is now available for master/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-asteval https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1297 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-24359 https://nvd.nist.gov/vuln/detail/CVE-2025-24359 openEuler-24.03-LTS-SP1 python-asteval-1.0.6-1.oe2403sp1.src.rpm python-asteval-help-1.0.6-1.oe2403sp1.noarch.rpm python3-asteval-1.0.6-1.oe2403sp1.noarch.rpm ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue. 2025-03-21 CVE-2025-24359 openEuler-24.03-LTS-SP1 High 8.4 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H python-asteval security update 2025-03-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1297