Security-SIG

Download

security-sig@python.org

April 2024

1 participants
2 discussions

Re: [Security-announce][CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup
by Michał Górny April 6, 2024

April 6, 2024

Hello, On Tue, 2024-03-19 at 11:10 -0400, Ee Durbin wrote: > An issue was found in the CPython `tempfile.TemporaryDirectory` class > affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The fix for this seems to be present in 3.12.1 and 3.11.8: $ git describe --contains 6ceb8aeda504b079fef7a57b8d81472f15cdd9a5 v3.12.1~4 $ git describe --contains 5585334d772b253a01a6730e8202ffb1607c3d25 v3.11.8~304 -- Best regards, Michał Górny

1 0

Re: [Security-announce][CVE-2024-0450] Quoted zip-bomb protection for zipfile
by Michał Górny April 6, 2024

April 6, 2024

Hello, I am a bit confused about this. On Tue, 2024-03-19 at 11:10 -0400, Ee Durbin wrote: > An issue was found in the CPython `zipfile` module affecting versions > 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. It seems that 3.11.8 and 3.12.2 already contained a patch for this: $ git describe --contains a956e510f6336d5ae111ba429a61c3ade30a7549 v3.11.8~173 $ git describe --contains fa181fcf2156f703347b03a3b1966ce47be8ab3b v3.12.2~196 > The zipfile module is vulnerable to “quoted-overlap” zip-bombs which > exploit the zip format to create a zip-bomb with a high compression ratio. > The fixed versions of CPython makes the zipfile module reject zip archives > which overlap entries in the archive. -- Best regards, Michał Górny

1 0