diff options
| author | Jiaying Song <jiaying.song.cn@windriver.com> | 2024-11-22 17:21:49 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-12-06 05:50:24 -0800 |
| commit | 6653eb6e900e9a2934b6c934f26555fe28c1a8d9 (patch) | |
| tree | 18f59ba9792213b179f2cde58be6ae63f3dd4b06 /scripts/lib/devtool/export.py | |
| parent | 1876097252d066a523ed8a3031322129f8f38498 (diff) | |
| download | poky-6653eb6e900e9a2934b6c934f26555fe28c1a8d9.tar.gz | |
python3-zipp: fix CVE-2024-5569
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp
library, affecting all versions prior to 3.19.1. The vulnerability is
triggered when processing a specially crafted zip file that leads to an
infinite loop. This issue also impacts the zipfile module of CPython, as
features from the third-party zipp library are later merged into
CPython, and the affected code is identical in both projects. The
infinite loop can be initiated through the use of functions affecting
the `Path` module in both zipp and zipfile, such as `joinpath`, the
overloaded division operator, and `iterdir`. Although the infinite loop
is not resource exhaustive, it prevents the application from responding.
The vulnerability was addressed in version 3.19.1 of jaraco/zipp.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-5569
Upstream patches:
https://github.com/jaraco/zipp/pull/120/commits/79a309fe54dc6b7934fb72e9f31bcb58f2e9f547
https://github.com/jaraco/zipp/pull/120/commits/564fcc10cdbfdaecdb33688e149827465931c9e0
https://github.com/jaraco/zipp/pull/120/commits/58115d2be968644ce71ce6bcc9b79826c82a1806
https://github.com/jaraco/zipp/pull/120/commits/c18417ed2953e181728a7dac07bff88a2190abf7
(From OE-Core rev: ec77cfe12f0790c7e3cf2d9bf00e47b4c653997c)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'scripts/lib/devtool/export.py')
0 files changed, 0 insertions, 0 deletions