9 Star 2 Fork 84

src-openEuler/python3

CVE-2024-0450

已完成
CVE和安全问题 拥有者
创建于  
2024-03-20 00:48

一、漏洞信息
漏洞编号:CVE-2024-0450
漏洞归属组件:python3
漏洞归属的版本:3.10.0,3.10.2,3.10.9,3.11.1,3.11.4,3.11.6,3.8.5,3.9.9
CVSS V3.0分值:
BaseScore:6.2 Medium
Vector:CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞简述:
An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
漏洞公开时间:2024-03-20 00:15:09
漏洞创建时间:2024-03-20 00:48:26
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2024-0450

更多参考(点击展开)
参考来源 参考链接 来源链接
cna.python.org http://www.openwall.com/lists/oss-security/2024/03/20/5
cna.python.org https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
cna.python.org https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
cna.python.org https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675
cna.python.org https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
cna.python.org https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
cna.python.org https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
cna.python.org https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
cna.python.org https://github.com/python/cpython/issues/109858
cna.python.org https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
cna.python.org https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
cna.python.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
cna.python.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
cna.python.org https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
cna.python.org https://www.bamsoftware.com/hacks/zipbomb/
suse_bugzilla http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0450 https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://github.com/python/cpython/issues/109858 https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/ https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://www.bamsoftware.com/hacks/zipbomb/ https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://www.cve.org/CVERecord?id=CVE-2024-0450 https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://mail.python.org/archives/list/security-announce https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://seclists.org/oss-sec/2024/q1/240 https://bugzilla.suse.com/show_bug.cgi?id=1221854
suse_bugzilla https://www.cve.org/CVERecord?id=CVE-2023-6597 https://bugzilla.suse.com/show_bug.cgi?id=1221854
redhat_bugzilla https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://github.com/python/cpython/issues/109858 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/ https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://www.bamsoftware.com/hacks/zipbomb/ https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:3347 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:3391 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:3466 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:4058 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:4078 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:4243 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
redhat_bugzilla https://access.redhat.com/errata/RHSA-2024:4406 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
ubuntu https://seclists.org/oss-sec/2024/q1/240 https://ubuntu.com/security/CVE-2024-0450
ubuntu https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993 https://ubuntu.com/security/CVE-2024-0450
ubuntu https://www.cve.org/CVERecord?id=CVE-2024-0450 https://ubuntu.com/security/CVE-2024-0450
ubuntu https://nvd.nist.gov/vuln/detail/CVE-2024-0450 https://ubuntu.com/security/CVE-2024-0450
ubuntu https://launchpad.net/bugs/cve/CVE-2024-0450 https://ubuntu.com/security/CVE-2024-0450
ubuntu https://security-tracker.debian.org/tracker/CVE-2024-0450 https://ubuntu.com/security/CVE-2024-0450
ubuntu https://github.com/python/cpython/issues/109858 https://ubuntu.com/security/CVE-2024-0450
debian https://security-tracker.debian.org/tracker/CVE-2024-0450
oracle https://www.oracle.com/security-alerts/cpujul2024.html
gentoo https://security.gentoo.org/glsa/202405-01
anolis https://anas.openanolis.cn/cves/detail/CVE-2024-0450
cve_search https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
cve_search https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
cve_search https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
cve_search https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
cve_search https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
cve_search https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
cve_search https://github.com/python/cpython/issues/109858
cve_search https://www.bamsoftware.com/hacks/zipbomb/
cve_search https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
cve_search https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
cve_search https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
mageia http://advisories.mageia.org/MGASA-2024-0096.html
osv https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 https://osv.dev/vulnerability/CVE-2024-0450
osv https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba https://osv.dev/vulnerability/CVE-2024-0450
osv https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 https://osv.dev/vulnerability/CVE-2024-0450
osv https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 https://osv.dev/vulnerability/CVE-2024-0450
osv https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 https://osv.dev/vulnerability/CVE-2024-0450
osv https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b https://osv.dev/vulnerability/CVE-2024-0450
osv https://github.com/python/cpython/issues/109858 https://osv.dev/vulnerability/CVE-2024-0450
osv https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/ https://osv.dev/vulnerability/CVE-2024-0450
osv https://www.bamsoftware.com/hacks/zipbomb/ https://osv.dev/vulnerability/CVE-2024-0450
amazon_linux_explore https://access.redhat.com/security/cve/CVE-2024-0450 https://explore.alas.aws.amazon.com/CVE-2024-0450.html
amazon_linux_explore https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0450 https://explore.alas.aws.amazon.com/CVE-2024-0450.html
snyk https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 https://security.snyk.io/vuln/SNYK-UNMANAGED-PYTHONCPYTHON-6468186
snyk https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba https://security.snyk.io/vuln/SNYK-UNMANAGED-PYTHONCPYTHON-6468186
snyk https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 https://security.snyk.io/vuln/SNYK-UNMANAGED-PYTHONCPYTHON-6468186
snyk https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 https://security.snyk.io/vuln/SNYK-UNMANAGED-PYTHONCPYTHON-6468186
snyk https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 https://security.snyk.io/vuln/SNYK-UNMANAGED-PYTHONCPYTHON-6468186
snyk https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b https://security.snyk.io/vuln/SNYK-UNMANAGED-PYTHONCPYTHON-6468186
snyk https://github.com/python/cpython/issues/109858 https://security.snyk.io/vuln/SNYK-UNMANAGED-PYTHONCPYTHON-6468186
snyk https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/ https://security.snyk.io/vuln/SNYK-UNMANAGED-PYTHONCPYTHON-6468186
ubuntu https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0450 https://ubuntu.com/security/CVE-2024-0450

漏洞分析指导链接:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息:

详情(点击展开)
影响的包 修复版本 修复补丁 问题引入补丁 来源
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 cna.python.org
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba cna.python.org
https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675 cna.python.org
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 cna.python.org
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 cna.python.org
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 cna.python.org
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b cna.python.org
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 suse_bugzilla
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba suse_bugzilla
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 suse_bugzilla
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 suse_bugzilla
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 suse_bugzilla
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b suse_bugzilla
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 redhat_bugzilla
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba redhat_bugzilla
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 redhat_bugzilla
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 redhat_bugzilla
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 redhat_bugzilla
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b redhat_bugzilla
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 osv
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba osv
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 osv
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 osv
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 osv
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b osv
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 snyk
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba snyk
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 snyk
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 snyk
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 snyk
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b snyk

二、漏洞分析结构反馈
影响性分析说明:
在CPython zipfile模块中发现了影响版本3.12.1、3.11.7、3.10.13、3.9.18和3.8.18及之前版本的问题。zipfile模块容易受到“重叠”zip-bombs攻击,后者利用zip格式创建具有高压缩比的zip-bomb。CPython的修复版本使zipfile模块拒绝与归档文件中的条目重叠的zip归档文件。
openEuler评分:
6.2
Vector:CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.master(3.11.6):受影响
2.openEuler-22.03-LTS-SP1(3.9.9):受影响
3.openEuler-22.03-LTS-SP3(3.9.9):受影响
4.openEuler-22.03-LTS-SP4(3.9.9):受影响
5.openEuler-24.03-LTS(3.11.6):受影响
6.openEuler-24.03-LTS-Next(3.11.6):受影响
7.openEuler-20.03-LTS-SP4(3.7.9):不受影响

修复是否涉及abi变化(是/否):
1.master(3.11.6):否
2.openEuler-20.03-LTS-SP4(3.7.9):否
3.openEuler-22.03-LTS-SP1(3.9.9):否
4.openEuler-22.03-LTS-SP3(3.9.9):否
5.openEuler-22.03-LTS-SP4(3.9.9):否
6.openEuler-24.03-LTS(3.11.6):否
7.openEuler-24.03-LTS-Next(3.11.6):否

三、漏洞修复
安全公告链接:https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-2193

评论 (16)

openeuler-ci-bot 创建了CVE和安全问题 1年前
openeuler-ci-bot 添加了
 
CVE/UNFIXED
标签
1年前
展开全部操作日志
openeuler-ci-bot 添加了
 
sig/Base-service
标签
1年前
参考网址 关联pr 状态 补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2024-0450NoneNonehttps://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
https://ubuntu.com/security/CVE-2024-0450NoneNonehttps://discourse.ubuntu.com/c/ubuntu-pro
https://www.opencve.io/cve/CVE-2024-0450NoneNonehttps://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-0450
https://security-tracker.debian.org/tracker/CVE-2024-0450

说明:补丁链接仅供初步排查参考,实际可用性请人工再次确认,补丁下载验证可使用CVE补丁工具
若补丁不准确,烦请在此issue下评论 '/report-patch 参考网址 补丁链接1,补丁链接2' 反馈正确信息,便于我们不断优化工具,不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

openeuler-ci-bot 计划开始日期设置为2024-03-20 1年前
openeuler-ci-bot 计划截止日期设置为2024-04-19 1年前
openeuler-ci-bot 优先级设置为次要 1年前
openeuler-ci-bot 修改了描述 1年前
xieminmin 负责人设置为xinsheng3 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前

影响性分析说明: Python在3.11.5版本及之前发现的一个问题,具体涉及到了Python的Lib/zipfile.py模块。问题是在使用"重叠"的方式制作一个拉链炸弹(zipbomb),Python的zip文件无法检测到这一点,并且该zip文件将被解压,因此可能通过消耗所有存储导致DoS攻击。

openEuler评分: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响):
1.master(3.10.0):受影响
2.openEuler-20.03-LTS-SP1(3.7.9):受影响
3.openEuler-20.03-LTS-SP4(3.7.9):受影响
4.openEuler-22.03-LTS(3.9.9):受影响
5.openEuler-22.03-LTS-Next(3.9.9):受影响
6.openEuler-22.03-LTS-SP1(3.9.9):受影响
7.openEuler-22.03-LTS-SP2(3.9.9):受影响
8.openEuler-22.03-LTS-SP3(3.9.9):受影响
9.openEuler-24.03-LTS:受影响

修复是否涉及abi变化(是/否):
1.master(3.10.0):否
2.openEuler-20.03-LTS-SP1(3.7.9):否
3.openEuler-20.03-LTS-SP4(3.7.9):否
4.openEuler-22.03-LTS(3.9.9):否
5.openEuler-22.03-LTS-Next(3.9.9):否
6.openEuler-22.03-LTS-SP1(3.9.9):否
7.openEuler-22.03-LTS-SP2(3.9.9):否
8.openEuler-22.03-LTS-SP3(3.9.9):否
9.openEuler-24.03-LTS:否

openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前

影响性分析说明: Python在3.11.5版本及之前发现的一个问题,具体涉及到了Python的Lib/zipfile.py模块。问题是在使用"重叠"的方式制作一个拉链炸弹(zipbomb),Python的zip文件无法检测到这一点,并且该zip文件将被解压,因此可能通过消耗所有存储导致DoS攻击。

openEuler评分: 6.2
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.master(3.10.0):受影响
2.openEuler-20.03-LTS-SP1(3.7.9):受影响
3.openEuler-20.03-LTS-SP4(3.7.9):受影响
4.openEuler-22.03-LTS(3.9.9):受影响
5.openEuler-22.03-LTS-Next(3.9.9):受影响
6.openEuler-22.03-LTS-SP1(3.9.9):受影响
7.openEuler-22.03-LTS-SP2(3.9.9):受影响
8.openEuler-22.03-LTS-SP3(3.9.9):受影响
9.openEuler-24.03-LTS:受影响

修复是否涉及abi变化(是/否):
1.master(3.10.0):否
2.openEuler-20.03-LTS-SP1(3.7.9):否
3.openEuler-20.03-LTS-SP4(3.7.9):否
4.openEuler-22.03-LTS(3.9.9):否
5.openEuler-22.03-LTS-Next(3.9.9):否
6.openEuler-22.03-LTS-SP1(3.9.9):否
7.openEuler-22.03-LTS-SP2(3.9.9):否
8.openEuler-22.03-LTS-SP3(3.9.9):否
9.openEuler-24.03-LTS:否

openeuler-ci-bot 修改了描述 1年前
xieminmin 任务状态待办的 修改为已完成 1年前
openeuler-ci-bot 任务状态已完成 修改为待办的 1年前
openeuler-ci-bot 移除了
 
CVE/UNFIXED
标签
1年前
openeuler-ci-bot 移除了
 
sig/Base-service
标签
1年前
openeuler-ci-bot 添加了
 
CVE/UNFIXED
标签
1年前
openeuler-ci-bot 添加了
 
sig/Base-service
标签
1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
openeuler-ci-bot 修改了描述 1年前
xieminmin 任务状态待办的 修改为已挂起 1年前
openeuler-ci-bot 任务状态已挂起 修改为待办的 1年前

/reason 申请挂起
2203-LTS,2203-LTS-SP1已合入
2203-LTS-SP3待社区修复
2203-LTS-Next 待合入

xieminmin 任务状态待办的 修改为已挂起 1年前
issue状态 操作者 原因
已挂起 xieminmin 申请挂起
2203-LTS,2203-LTS-SP1已合入
2203-LTS-SP3待社区修复
2203-LTS-Next 待合入
openeuler-ci-bot 任务状态已挂起 修改为待办的 10个月前
openeuler-ci-bot 修改了描述 10个月前
openeuler-ci-bot 修改了描述 10个月前
openeuler-ci-bot 修改了描述 10个月前
openeuler-ci-bot 修改了描述 10个月前
openeuler-ci-bot 修改了描述 10个月前
openeuler-ci-bot 修改了描述 10个月前
openeuler-ci-bot 修改了描述 10个月前
xinsheng3 通过合并 Pull Request !358: fix CVE-2024-6232,CVE-2024-3219,CVE-2024-0450,CVE-2023-6597任务状态待办的 修改为已完成 10个月前
openeuler-ci-bot 任务状态已完成 修改为待办的 10个月前
openeuler-ci-bot 修改了描述 10个月前
openeuler-ci-bot 移除了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 移除了
 
sig/Base-service
标签
10个月前
openeuler-ci-bot 添加了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 添加了
 
sig/Base-service
标签
10个月前
xinsheng3 通过合并 Pull Request !361: fix CVE-2024-6232,CVE-2024-3219,CVE-2024-0450,CVE-2023-6597,CVE-2024-4032任务状态待办的 修改为已完成 10个月前
xinsheng3 通过合并 Pull Request !360: fix CVE-2024-6232,CVE-2024-3219,CVE-2024-0450,CVE-2023-6597任务状态待办的 修改为已完成 10个月前
openeuler-ci-bot 任务状态已完成 修改为待办的 10个月前
openeuler-ci-bot 移除了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 移除了
 
sig/Base-service
标签
10个月前
openeuler-ci-bot 添加了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 添加了
 
sig/Base-service
标签
10个月前
xinsheng3 通过合并 Pull Request !363: fix CVE-2024-6232,CVE-2024-3219,CVE-2024-0450,CVE-2023-6597,CVE-2024-4032任务状态待办的 修改为已完成 10个月前
openeuler-ci-bot 移除了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 移除了
 
sig/Base-service
标签
10个月前
openeuler-ci-bot 添加了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 添加了
 
sig/Base-service
标签
10个月前
openeuler-ci-bot 任务状态已完成 修改为待办的 10个月前
openeuler-ci-bot 移除了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 移除了
 
sig/Base-service
标签
10个月前
openeuler-ci-bot 添加了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 添加了
 
sig/Base-service
标签
10个月前

影响性分析说明:
在CPython zipfile模块中发现了影响版本3.12.1、3.11.7、3.10.13、3.9.18和3.8.18及之前版本的问题。zipfile模块容易受到“重叠”zip-bombs攻击,后者利用zip格式创建具有高压缩比的zip-bomb。CPython的修复版本使zipfile模块拒绝与归档文件中的条目重叠的zip归档文件。
openEuler评分:
6.2
Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响):
1.master(3.11.6):受影响
2.openEuler-20.03-LTS-SP4(3.7.9):不受影响
3.openEuler-22.03-LTS-SP1(3.9.9):受影响
4.openEuler-22.03-LTS-SP3(3.9.9):受影响
5.openEuler-22.03-LTS-SP4(3.9.9):受影响
6.openEuler-24.03-LTS(3.11.6):受影响
7.openEuler-24.03-LTS-Next(3.11.6):受影响

修复是否涉及abi变化(是/否):
1.master(3.11.6):否
2.openEuler-20.03-LTS-SP4(3.7.9):否
3.openEuler-22.03-LTS-SP1(3.9.9):否
4.openEuler-22.03-LTS-SP3(3.9.9):否
5.openEuler-22.03-LTS-SP4(3.9.9):否
6.openEuler-24.03-LTS(3.11.6):否
7.openEuler-24.03-LTS-Next(3.11.6):否

openeuler-ci-bot 修改了描述 10个月前
xieminmin 任务状态待办的 修改为已挂起 10个月前
issue状态 操作者 原因
已挂起 xieminmin 申请挂起
2203-LTS,2203-LTS-SP1已合入
2203-LTS-SP3待社区修复
2203-LTS-Next 待合入
xieminmin 任务状态已挂起 修改为已完成 10个月前
openeuler-ci-bot 移除了
 
CVE/UNFIXED
标签
10个月前
openeuler-ci-bot 移除了
 
sig/Base-service
标签
10个月前
openeuler-ci-bot 添加了
 
CVE/FIXED
标签
10个月前
openeuler-ci-bot 添加了
 
sig/Base-service
标签
10个月前
openeuler-ci-bot 修改了描述 9个月前

登录 后才可以发表评论

状态
负责人
项目
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
预计工期 (小时)
参与者(4)
5329419 openeuler ci bot 1632792936 xinsheng3-xinsheng3 xieminmin-xieminmin 张晓璐-kaixin_space
1
https://gitee.com/src-openeuler/python3.git
git@gitee.com:src-openeuler/python3.git
src-openeuler
python3
python3

搜索帮助