OESA-2024-2190

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2190
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-2190.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2024-2190
Upstream
Published
2024-09-27T11:09:14Z
Modified
2025-08-12T05:40:34.572362Z
Summary
python3 security update
Details

Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.

Security Fix(es):

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. (CVE-2023-6597)

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

(CVE-2024-0450)

There is a MEDIUM severity vulnerability affecting CPython.

The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AFUNIX, such as Windows. This pure-Python implementation uses AFINET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer.

Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.(CVE-2024-3219)

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.(CVE-2024-6232)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / python3

Package

Name
python3
Purl
pkg:rpm/openEuler/python3&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.9-36.oe2203sp4

Ecosystem specific 

{
    "src": [
        "python3-3.9.9-36.oe2203sp4.src.rpm"
    ],
    "noarch": [
        "python3-help-3.9.9-36.oe2203sp4.noarch.rpm"
    ],
    "x86_64": [
        "python3-3.9.9-36.oe2203sp4.x86_64.rpm",
        "python3-debug-3.9.9-36.oe2203sp4.x86_64.rpm",
        "python3-debuginfo-3.9.9-36.oe2203sp4.x86_64.rpm",
        "python3-debugsource-3.9.9-36.oe2203sp4.x86_64.rpm",
        "python3-devel-3.9.9-36.oe2203sp4.x86_64.rpm",
        "python3-unversioned-command-3.9.9-36.oe2203sp4.x86_64.rpm"
    ],
    "aarch64": [
        "python3-3.9.9-36.oe2203sp4.aarch64.rpm",
        "python3-debug-3.9.9-36.oe2203sp4.aarch64.rpm",
        "python3-debuginfo-3.9.9-36.oe2203sp4.aarch64.rpm",
        "python3-debugsource-3.9.9-36.oe2203sp4.aarch64.rpm",
        "python3-devel-3.9.9-36.oe2203sp4.aarch64.rpm",
        "python3-unversioned-command-3.9.9-36.oe2203sp4.aarch64.rpm"
    ]
}