Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <77dc10fa-9ef5-4314-9093-fbc392778ca8@oracle.com>
Date: Wed, 20 Mar 2024 16:35:37 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 &
 CVE-2024-0450)

https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993
announces the availability of Python 3.10.14, 3.9.19, and 3.8.19,
including these security fixes (see above URL for links to details on each):

- gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0 to address
   CVE-2023-52425, and control of the new reparse deferral functionality was
   exposed with new APIs. Thanks to Sebastian Pipping, the maintainer of
   libexpat, who worked with us directly on incorporating those fixes!

- gh-109858 : zipfile is now protected from the “quoted-overlap” zipbomb to
   address CVE-2024-0450 . It now raises BadZipFile when attempting to read an
   entry that overlaps with another entry or central directory

- gh-91133: tempfile.TemporaryDirectory cleanup no longer dereferences symlinks
   when working around file system permission errors to address CVE-2023-6597

- gh-115197: urllib.request no longer resolves the hostname before checking it
   against the system’s proxy bypass list on macOS and Windows

- gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX)
   was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit
   non-Windows platforms was fixed

- gh-113659: .pth files with names starting with a dot or containing the hidden
   file attribute are now skipped

- gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of
   bounds

- gh-114572 : ssl.SSLContext.cert_store_stats() and
   ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate
   store, when the ssl.SSLContext is shared across multiple threads

Presumably releases for 3.11 & 3.12 will follow as the announcements of the
two new CVEs listed them as also affected.

https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
said:

   [CVE-2024-0450] Quoted zip-bomb protection for zipfile

   An issue was found in the CPython `zipfile` module affecting versions
   3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.

   The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit
   the zip format to create a zip-bomb with a high compression ratio. The fixed
   versions of CPython makes the zipfile module reject zip archives which overlap
   entries in the archive.

   *References*
   * CVE: https://www.cve.org/CVERecord?id=CVE-2024-0450
   * Patch: https://github.com/python/cpython/pull/110016
   * Issue: https://github.com/python/cpython/issues/109858


https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/
said:

   [CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup

   An issue was found in the CPython `tempfile.TemporaryDirectory` class
   affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.

   The tempfile.TemporaryDirectory class would dereference symlinks during
   cleanup of permissions-related errors. This means users which can run
   privileged programs are potentially able to modify permissions of files
   referenced by symlinks in some circumstances.

   *References*
   * CVE: https://www.cve.org/CVERecord?id=CVE-2023-6597
   * Patch: https://github.com/python/cpython/pull/99930
   * Issue: https://github.com/python/cpython/issues/91133

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.