Debian alert DLA-3966-1 (pypy3)

From:
             
 
Andrej Shadura <andrewsh@debian.org>
To:
             
 
debian-lts-announce@lists.debian.org
Subject:
             
 
[SECURITY] [DLA 3966-1] pypy3 security update
Date:
             
 
Tue, 26 Nov 2024 10:44:10 +0100
Message-ID:
             
 
<20241126094412.762689-1-andrewsh@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3966-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Andrej Shadura
November 26, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : pypy3
Version        : 7.3.5+dfsg-2+deb11u4
CVE ID         : CVE-2020-10735 CVE-2020-29651 CVE-2021-3737 CVE-2021-28861 
                 CVE-2022-0391 CVE-2022-45061 CVE-2023-27043 CVE-2024-9287

Multiple vulnerabilities have been fixed in pypy3, an alternative
implementation of the Python 3.x language.

CVE-2020-10735

    A flaw was found in Python. In algorithms with quadratic time
    complexity using non-binary bases, when using int("text"), a system
    could take 50ms to parse an int string with 100,000 digits and 5s
    for 1,000,000 digits (float, decimal, int.from_bytes(), and int()
    for binary bases 2, 4, 8, 16, and 32 are not affected). The highest
    threat from this vulnerability is to system availability.

CVE-2020-29651

    A denial of service via regular expression in the py.path.svnwc
    component of py (aka python-py) through 1.9.0 could be used by
    attackers to cause a compute-time denial of service attack by
    supplying malicious input to the blame functionality.
    python-py is a part of the pypy3 distribution.

CVE-2021-3737

    A flaw was found in Python. An improperly handled HTTP response in the
    HTTP client code of Python may allow a remote attacker, who controls
    the HTTP server, to make the client script enter an infinite loop,
    consuming CPU time. The highest threat from this vulnerability is
    to system availability.

CVE-2021-28861

    Python has an open redirection vulnerability in lib/http/server.py
    due to no protection against multiple (/) at the beginning of URI
    path which may leads to information disclosure.
    NOTE: this is disputed by a third party because the http.server.html
    documentation page states "Warning: http.server is not recommended
    for production. It only implements basic security checks."

CVE-2022-0391

    A flaw was found in Python within the urllib.parse module. This
    module helps break Uniform Resource Locator (URL) strings into
    components. The issue involves how the urlparse method does not
    sanitize input and allows characters like '\r' and '\n' in the URL
    path. This flaw allows an attacker to input a crafted URL, leading
    to injection attacks.

CVE-2022-45061

    An unnecessary quadratic algorithm exists in one path when processing
    some inputs to the IDNA (RFC 3490) decoder, such that a crafted,
    unreasonably long name being presented to the decoder could lead to a
    CPU denial of service. Hostnames are often supplied by remote servers
    that could be controlled by a malicious actor; in such a scenario,
    they could trigger excessive CPU consumption on the client attempting
    to make use of an attacker-supplied supposed hostname. For example,
    the attack payload could be placed in the Location header of an HTTP
    response with status code 302.

CVE-2023-27043

    The email module of Python incorrectly parses e-mail addresses that
    contain a special character. The wrong portion of an RFC2822 header
    is identified as the value of the addr-spec. In some applications,
    an attacker can bypass a protection mechanism in which application
    access is granted only after verifying receipt of e-mail to a
    specific domain (e.g., only @company.example.com addresses may
    be used for signup). This occurs in email/_parseaddr.py.

CVE-2024-9287

    A vulnerability has been found in the `venv` module and CLI where
    path names provided when creating a virtual environment were not
    quoted properly, allowing the creator to inject commands into virtual
    environment "activation" scripts (ie "source venv/bin/activate"). This
    means that attacker-controlled virtual environments are able to
    run commands when the virtual environment is activated. Virtual
    environments which are not created by an attacker or which aren't
    activated before being used (ie "./venv/bin/python") are not
    affected.v

For Debian 11 bullseye, these problems have been fixed in version
7.3.5+dfsg-2+deb11u4.

We recommend that you upgrade your pypy3 packages.

For the detailed security status of pypy3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pypy3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ0WX3QAKCRDoRGtKyMdy
YZj2AQC4a8MFgETKZJgrkHE5p1Kcr2lnyt/ZO0VrpBMsR3TEEAEA5qnyAJGHK3qJ
9jxoTZZigj8z286GNlHVpqkFLeU1gQQ=
=Je/P
-----END PGP SIGNATURE-----