oss-sec mailing list archives
Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450)
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 20 Mar 2024 16:35:37 -0700
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993 announces the availability of Python 3.10.14, 3.9.19, and 3.8.19, including these security fixes (see above URL for links to details on each): - gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0 to address CVE-2023-52425, and control of the new reparse deferral functionality was exposed with new APIs. Thanks to Sebastian Pipping, the maintainer of libexpat, who worked with us directly on incorporating those fixes! - gh-109858 : zipfile is now protected from the “quoted-overlap” zipbomb to address CVE-2024-0450 . It now raises BadZipFile when attempting to read an entry that overlaps with another entry or central directory - gh-91133: tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when working around file system permission errors to address CVE-2023-6597 - gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows - gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms was fixed - gh-113659: .pth files with names starting with a dot or containing the hidden file attribute are now skipped - gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of bounds - gh-114572 : ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads Presumably releases for 3.11 & 3.12 will follow as the announcements of the two new CVEs listed them as also affected. https://mail.python.org/archives/list/security-announce () python org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/ said: [CVE-2024-0450] Quoted zip-bomb protection for zipfile An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. *References* * CVE: https://www.cve.org/CVERecord?id=CVE-2024-0450 * Patch: https://github.com/python/cpython/pull/110016 * Issue: https://github.com/python/cpython/issues/109858 https://mail.python.org/archives/list/security-announce () python org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/ said: [CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. *References* * CVE: https://www.cve.org/CVERecord?id=CVE-2023-6597 * Patch: https://github.com/python/cpython/pull/99930 * Issue: https://github.com/python/cpython/issues/91133 -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450) Alan Coopersmith (Mar 20)