-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
5d48c06
commit f4b5a67
Showing
2 changed files
with
151 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,122 @@ | ||
| { | ||
| "schema_version": "1.5.0", | ||
| "id": "PSF-0000-CVE-2024-4030", | ||
| "aliases": [ | ||
| "CVE-2024-4030" | ||
| ], | ||
| "published": "2024-05-07T21:02:55.284Z", | ||
| "modified": "2024-06-13T19:24:24.254Z", | ||
| "details": "On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions.\n\nIf you\u2019re not using Windows or haven\u2019t changed the temporary directory location then you aren\u2019t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user.\n\nThis issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix \u201c700\u201d for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions.\n", | ||
| "database_specific": { | ||
| "cwe_ids": [] | ||
| }, | ||
| "affected": [ | ||
| { | ||
| "ranges": [ | ||
| { | ||
| "type": "GIT", | ||
| "repo": "https://github.com/python/cpython", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "81939dad77001556c527485d31a2d0f4a759033e" | ||
| }, | ||
| { | ||
| "fixed": "8ed546679524140d8282175411fd141fe7df070d" | ||
| }, | ||
| { | ||
| "fixed": "35c799d79177b962ddace2fa068101465570a29a" | ||
| }, | ||
| { | ||
| "fixed": "5130731c9e779b97d00a24f54cdce73ce9975dfd" | ||
| }, | ||
| { | ||
| "fixed": "66f8bb76a15e64a1bb7688b177ed29e26230fdee" | ||
| }, | ||
| { | ||
| "fixed": "6d0850c4c8188035643586ab4d8ec2468abd699e" | ||
| }, | ||
| { | ||
| "fixed": "91e3669e01245185569d09e9e6e11641282971ee" | ||
| }, | ||
| { | ||
| "fixed": "94591dca510c796c7d40e9b4167ea56f2fdf28ca" | ||
| }, | ||
| { | ||
| "fixed": "c8f868dc52f98011d0f9b459b6487920bfb0ac4d" | ||
| }, | ||
| { | ||
| "fixed": "d86b49411753bf2c83291e3a14ae43fefded2f84" | ||
| }, | ||
| { | ||
| "fixed": "e1dfa978b1ad210d551385ad8073ec6154f53763" | ||
| }, | ||
| { | ||
| "fixed": "eb29e2f5905da93333d1ce78bc98b151e763ff46" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://mail.python.org/archives/list/[email protected]/thread/PRGS5OR3N3PNPT4BMV2VAGN5GMUI5636/" | ||
| }, | ||
| { | ||
| "type": "REPORT", | ||
| "url": "https://github.com/python/cpython/issues/118486" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a759033e" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7df070d" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/35c799d79177b962ddace2fa068101465570a29a" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/5130731c9e779b97d00a24f54cdce73ce9975dfd" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/66f8bb76a15e64a1bb7688b177ed29e26230fdee" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/6d0850c4c8188035643586ab4d8ec2468abd699e" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/91e3669e01245185569d09e9e6e11641282971ee" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/94591dca510c796c7d40e9b4167ea56f2fdf28ca" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/c8f868dc52f98011d0f9b459b6487920bfb0ac4d" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/d86b49411753bf2c83291e3a14ae43fefded2f84" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/e1dfa978b1ad210d551385ad8073ec6154f53763" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/eb29e2f5905da93333d1ce78bc98b151e763ff46" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,21 @@ | ||
| { | ||
| "modified": "2024-04-03T14:56:18Z", | ||
| "published": "2024-03-19T15:12:07Z", | ||
| "schema_version": "1.5.0", | ||
| "id": "PSF-2024-2", | ||
| "aliases": [ | ||
| "CVE-2024-0450" | ||
| ], | ||
| "details": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", | ||
| "published": "2024-03-19T15:12:07.789Z", | ||
| "modified": "2024-06-13T19:24:15.993Z", | ||
| "details": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to \u201cquoted-overlap\u201d zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", | ||
| "database_specific": { | ||
| "cwe_ids": [] | ||
| }, | ||
| "affected": [ | ||
| { | ||
| "ranges": [ | ||
| { | ||
| "type": "GIT", | ||
| "repo": "https://github.com/python/cpython", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
|
|
@@ -33,9 +37,11 @@ | |
| }, | ||
| { | ||
| "fixed": "d05bac0b74153beb541b88b4fca33bf053990183" | ||
| }, | ||
| { | ||
| "fixed": "70497218351ba44bffc8b571201ecb5652d84675" | ||
| } | ||
| ], | ||
| "repo": "https://github.com/python/cpython" | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
|
|
@@ -84,9 +90,22 @@ | |
| { | ||
| "type": "WEB", | ||
| "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "http://www.openwall.com/lists/oss-security/2024/03/20/5" | ||
| }, | ||
| { | ||
| "type": "FIX", | ||
| "url": "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [] | ||
| } | ||
| } | ||
| ] | ||
| } | ||