Advisories » MGASA-2024-0313

Updated python-astropy packages fix security vulnerability

Publication date: 25 Sep 2024
Modification date: 25 Sep 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-41334

Description

Version 5.3.2 of the Astropy core package is vulnerable to remote code
execution due to improper input validation in the
`TranformGraph().to_dot_graph` function. A malicious user can provide a
command or a script file as a value to the `savelayout` argument, which
will be placed as the first value in a list of arguments passed to
`subprocess.Popen`. Although an error will be raised, the command or
script will be executed successfully. (CVE-2023-41334)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33369
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFGTG4EH37DFBG66DWJ2DEZNIO44D3AX/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41334

SRPMS

9/core

• python-astropy-5.1.1-1.1.mga9