{"schema_version":"1.7.2","id":"OESA-2024-1888","modified":"2024-07-26T11:08:36Z","published":"2024-07-26T11:08:36Z","upstream":["CVE-2024-5569"],"summary":"python-zipp security update","details":"A pathlib-compatible Zipfile object wrapper. A backport of the Path object.\r\n\r\nSecurity Fix(es):\r\n\r\nA Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.(CVE-2024-5569)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"python-zipp","purl":"pkg:rpm/openEuler/python-zipp\u0026distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.7.0-3.oe2203sp4"}]}],"ecosystem_specific":{"noarch":["python-zipp-help-3.7.0-3.oe2203sp4.noarch.rpm","python3-zipp-3.7.0-3.oe2203sp4.noarch.rpm"],"src":["python-zipp-3.7.0-3.oe2203sp4.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1888"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5569"}],"database_specific":{"severity":"Medium"}}