Advisories » MGASA-2024-0096

Updated python3, python packages fix security vulnerabilities

Publication date: 28 Mar 2024
Modification date: 28 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-6597 , CVE-2024-0450

Description

The tempfile.TemporaryDirectory class would dereference symlinks during
cleanup of permissions-related errors. This means users which can run
privileged programs are potentially able to modify permissions of files
referenced by symlinks in some circumstances. (CVE-2023-6597)
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which
exploit the zip format to create a zip-bomb with a high compression
ratio. The fixed versions of CPython makes the zipfile module reject zip
archives which overlap entries in the archive. (CVE-2024-0450)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32998
• https://www.openwall.com/lists/oss-security/2024/03/20/5
• https://lwn.net/Articles/966564/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6597
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0450

SRPMS

9/core

• python3-3.10.11-1.2.mga9
• python-2.7.18-15.2.mga9