OESA-2024-1888

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1888
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-1888.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2024-1888
Upstream
Published
2024-07-26T11:08:36Z
Modified
2025-08-12T05:47:04.334175Z
Summary
python-zipp security update
Details

A pathlib-compatible Zipfile object wrapper. A backport of the Path object.

Security Fix(es):

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.(CVE-2024-5569)

Database specific 
{
    "severity": "Medium"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / python-zipp

Package

Name
python-zipp
Purl
pkg:rpm/openEuler/python-zipp&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.0-3.oe2203sp4

Ecosystem specific 

{
    "src": [
        "python-zipp-3.7.0-3.oe2203sp4.src.rpm"
    ],
    "noarch": [
        "python-zipp-help-3.7.0-3.oe2203sp4.noarch.rpm",
        "python3-zipp-3.7.0-3.oe2203sp4.noarch.rpm"
    ]
}