Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450)

Related Vulnerabilities: CVE-2023-6597   CVE-2024-0450   CVE-2023-52425  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 &amp; CVE-2024-0450)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Alan Coopersmith &lt;alan.coopersmith () oracle com&gt;

Date: Wed, 20 Mar 2024 16:35:37 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993
announces the availability of Python 3.10.14, 3.9.19, and 3.8.19,
including these security fixes (see above URL for links to details on each):

- gh-115399 &amp; gh-115398: bundled libexpat was updated to 2.6.0 to address
  CVE-2023-52425, and control of the new reparse deferral functionality was
  exposed with new APIs. Thanks to Sebastian Pipping, the maintainer of
  libexpat, who worked with us directly on incorporating those fixes!

- gh-109858 : zipfile is now protected from the “quoted-overlap” zipbomb to
  address CVE-2024-0450 . It now raises BadZipFile when attempting to read an
  entry that overlaps with another entry or central directory

- gh-91133: tempfile.TemporaryDirectory cleanup no longer dereferences symlinks
  when working around file system permission errors to address CVE-2023-6597

- gh-115197: urllib.request no longer resolves the hostname before checking it
  against the system’s proxy bypass list on macOS and Windows

- gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX)
  was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit
  non-Windows platforms was fixed

- gh-113659: .pth files with names starting with a dot or containing the hidden
  file attribute are now skipped

- gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of
  bounds

- gh-114572 : ssl.SSLContext.cert_store_stats() and
  ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate
  store, when the ssl.SSLContext is shared across multiple threads

Presumably releases for 3.11 &amp; 3.12 will follow as the announcements of the
two new CVEs listed them as also affected.

https://mail.python.org/archives/list/security-announce () python org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
said:

  [CVE-2024-0450] Quoted zip-bomb protection for zipfile

  An issue was found in the CPython `zipfile` module affecting versions
  3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.

  The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit
  the zip format to create a zip-bomb with a high compression ratio. The fixed
  versions of CPython makes the zipfile module reject zip archives which overlap
  entries in the archive.

  *References*
  * CVE: https://www.cve.org/CVERecord?id=CVE-2024-0450
  * Patch: https://github.com/python/cpython/pull/110016
  * Issue: https://github.com/python/cpython/issues/109858

https://mail.python.org/archives/list/security-announce () python org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/
said:

  [CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup

  An issue was found in the CPython `tempfile.TemporaryDirectory` class
  affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.

  The tempfile.TemporaryDirectory class would dereference symlinks during
  cleanup of permissions-related errors. This means users which can run
  privileged programs are potentially able to modify permissions of files
  referenced by symlinks in some circumstances.

  *References*
  * CVE: https://www.cve.org/CVERecord?id=CVE-2023-6597
  * Patch: https://github.com/python/cpython/pull/99930
  * Issue: https://github.com/python/cpython/issues/91133

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 &amp; CVE-2024-0450) Alan Coopersmith (Mar 20)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started