{"schema_version":"1.7.2","id":"OESA-2024-2193","modified":"2024-09-27T11:09:15Z","published":"2024-09-27T11:09:15Z","upstream":["CVE-2023-6597","CVE-2024-0450","CVE-2024-3219","CVE-2024-6232"],"summary":"python3 security update","details":"Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\r\n\r\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n(CVE-2023-6597)\r\n\r\nAn issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\r\n\r\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\r\n\r\n(CVE-2024-0450)\r\n\r\nThere is a MEDIUM severity vulnerability affecting CPython.\r\n\r\nThe\n “socket” module provides a pure-Python fallback to the \nsocket.socketpair() function for platforms that don’t support AF_UNIX, \nsuch as Windows. This pure-Python implementation uses AF_INET or \nAF_INET6 to create a local connected pair of sockets. The connection \nbetween the two sockets was not verified before passing the two sockets \nback to the user, which leaves the server socket vulnerable to a \nconnection race from a malicious local peer.\r\n\r\nPlatforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.(CVE-2024-3219)\r\n\r\nThere is a MEDIUM severity vulnerability affecting CPython.\r\n\r\n\r\n\r\n\r\n\r\nRegular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.(CVE-2024-6232)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"python3","purl":"pkg:rpm/openEuler/python3\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.11.6-6.oe2403"}]}],"ecosystem_specific":{"aarch64":["python3-3.11.6-6.oe2403.aarch64.rpm","python3-debug-3.11.6-6.oe2403.aarch64.rpm","python3-debuginfo-3.11.6-6.oe2403.aarch64.rpm","python3-debugsource-3.11.6-6.oe2403.aarch64.rpm","python3-devel-3.11.6-6.oe2403.aarch64.rpm","python3-tkinter-3.11.6-6.oe2403.aarch64.rpm","python3-unversioned-command-3.11.6-6.oe2403.aarch64.rpm"],"noarch":["python3-help-3.11.6-6.oe2403.noarch.rpm"],"src":["python3-3.11.6-6.oe2403.src.rpm"],"x86_64":["python3-3.11.6-6.oe2403.x86_64.rpm","python3-debug-3.11.6-6.oe2403.x86_64.rpm","python3-debuginfo-3.11.6-6.oe2403.x86_64.rpm","python3-debugsource-3.11.6-6.oe2403.x86_64.rpm","python3-devel-3.11.6-6.oe2403.x86_64.rpm","python3-tkinter-3.11.6-6.oe2403.x86_64.rpm","python3-unversioned-command-3.11.6-6.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2193"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6597"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0450"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3219"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6232"}],"database_specific":{"severity":"High"}}