OESA-2024-1890

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1890
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-1890.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2024-1890
Upstream
Published
2024-07-26T11:08:36Z
Modified
2025-08-12T05:47:05.296019Z
Summary
python-zipp security update
Details

A pathlib-compatible Zipfile object wrapper. A backport of the Path object.

Security Fix(es):

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.(CVE-2024-5569)

Database specific 
{
    "severity": "Medium"
}
References

Affected packages

openEuler:22.03-LTS-SP1 / python-zipp

Package

Name
python-zipp
Purl
pkg:rpm/openEuler/python-zipp&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.0-3.oe2203sp1

Ecosystem specific 

{
    "src": [
        "python-zipp-3.7.0-3.oe2203sp1.src.rpm"
    ],
    "noarch": [
        "python-zipp-help-3.7.0-3.oe2203sp1.noarch.rpm",
        "python3-zipp-3.7.0-3.oe2203sp1.noarch.rpm"
    ]
}