Serhiy Storchaka

**Name of the Vulnerable Software and Affected Versions** Python (affected versions not specified) **Description** `bz2.BZ2Decompressor` objects can be reused following a decompression error. If an application catches the resulting `OSError` and attempts to retry using the same decompressor, specially crafted input may cause the decompressor to resume from an invalid internal state. This leads to out-of-bounds writes to a stack buffer, which can result in a process crash when processing untrusted data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Python (affected versions not specified) **Description** The `unicodedata.normalize()` function can consume excessive CPU time when processing specially crafted Unicode input. This occurs when the input contains long sequences of combining characters with alternating Canonical Combining Class values, affecting all normalization forms. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CPython (affected versions not specified) **Description** On Windows, the `shutil.unpack archive()` function fails to properly check for absolute paths within ZIP archives. If an archive contains a path with a drive letter (e.g., `C:`), files may be extracted outside of the intended target directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Base64 (affected versions not specified) Description The decoding process using `base64.b64decode()` or related functions would halt upon encountering the first padded quad, even if additional data remained. This could result in the acceptance of data that might be handled differently by other implementations. Using "validate=True" enables stricter base64 data processing. Recommendations Utilize "validate=True" when calling `base64.b64decode()` or related functions to enforce stricter base64 data processing.

**Name of the Vulnerable Software and Affected Versions** Python versions prior to 2.3 **Description** The 'zipfile' module does not validate the ZIP64 End of Central Directory (EOCD) Locator record offset value, leading to potential discrepancies in how ZIP archives are handled compared to other ZIP implementations. Specifically, the module incorrectly assumes the ZIP64 EOCD record's location, potentially allowing crafted ZIP archives to be processed in an unexpected manner. **Recommendations** Update to version 2.3 or later.

**Name of the Vulnerable Software and Affected Versions** html.parser.HTMLParser (affected versions not specified) **Description** The issue concerns the html.parser.HTMLParser class, which has worse-case quadratic complexity when processing certain crafted malformed inputs. This could potentially lead to amplified denial-of-service attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** The issue concerns the behavior of TarFile when extracting with a filter and `TarFile.errorlevel = 0`. The documented behavior is that any filtered members should be skipped and not extracted. However, the actual behavior in affected versions is that the member would still be extracted and not skipped. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Python versions 3.12 and later **Description** This vulnerability allows modification of file metadata (e.g., last modified) or file permissions of files outside the intended extraction directory when using the `tarfile` module to extract untrusted tar archives with the `filter="data"` or `filter="tar"` options. For Python 3.14 and later, the default value of the `filter` parameter changed to `"data"`. **Recommendations** Update to a newer version of Python. Specifically, the following package versions address the vulnerability: * `idle-python3.12 - 3.12.7-1ubuntu2.2` * `libpython3.12-dev - 3.12.7-1ubuntu2.2` * `libpython3.12-minimal - 3.12.7-1ubuntu2.2` * `libpython3.12-stdlib - 3.12.7-1ubuntu2.2` * `libpython3.12-testsuite - 3.12.7-1ubuntu2.2` * `libpython3.12t64 - 3.12.7-1ubuntu2.2` * `python3.12 - 3.12.7-1ubuntu2.2` * `python3.12-dev - 3.12.7-1ubuntu2.2` * `python3.12-doc - 3.12.7-1ubuntu2.2` * `python3.12-examples - 3.12.7-1ubuntu2.2` * `python3.12-full - 3.12.7-1ubuntu2.2` * `python3.12-gdbm - 3.12.7-1ubuntu2.2` * `python3.12-minimal - 3.12.7-1ubuntu2.2` * `python3.12-nopie - 3.12.7-1ubuntu2.2` * `python3.12-tk - 3.12.7-1ubuntu2.2` * `python3.12-venv - 3.12.7-1ubuntu2.2` * `idle-python3.13 - 3.13.0-1ubuntu0.3` * `libpython3.13 - 3.13.0-1ubuntu0.3` * `libpython3.13-dev - 3.13.0-1ubuntu0.3` * `libpython3.13-minimal - 3.13.0-1ubuntu0.3` * `libpython3.13-stdlib - 3.13.0-1ubuntu0.3` * `libpython3.13-testsuite - 3.13.0-1ubuntu0.3` * `python3.13 - 3.13.0-1ubuntu0.3` * `python3.13-dev - 3.13.0-1ubuntu0.3` * `python3.13-doc - 3.13.0-1ubuntu0.3` * `python3.13-examples - 3.13.0-1ubuntu0.3` * `python3.13-full - 3.13.0-1ubuntu0.3` * `python3.13-gdbm - 3.13.0-1ubuntu0.3` * `python3.13-minimal - 3.13.0-1ubuntu0.3` * `python3.13-nopie - 3.13.0-1ubuntu0.3` * `python3.13-tk - 3.13.0-1ubuntu0.3` * `python3.13-venv - 3.13.0-1ubuntu0.3`

**Name of the Vulnerable Software and Affected Versions** Python versions 3.12 and later **Description** The issue allows the extraction filter to be ignored, enabling symlink targets to point outside the destination directory and the modification of some file metadata. This affects users who extract untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar". For Python 3.14 and later, the default filter value changed to "data", which also affects usage relying on this new default behavior. The installation of source distributions, which are tar archives, is not significantly affected as they already allow arbitrary code execution during the build process. **Recommendations** For Python versions 3.12 and later, consider avoiding the use of the filter parameter with values "data" or "tar" when extracting untrusted tar archives using TarFile.extractall() or TarFile.extract() until a patch is available. As a temporary workaround, consider disabling the extraction filter feature when dealing with untrusted archives. For Python 3.14 and later, be cautious when relying on the new default filter behavior, as it may introduce this issue.

**Name of the Vulnerable Software and Affected Versions** Python versions 3.12 and later **Description** The issue allows the extraction filter to be ignored, enabling symlink targets to point outside the destination directory and the modification of some file metadata. This affects users who utilize the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() with the filter parameter set to "data" or "tar". For Python 3.14 and later, the default filter value changed to "data", which also affects usage relying on this new default behavior. The installation of source distributions, which are tar archives, is not significantly affected as they already allow arbitrary code execution during the build process. **Recommendations** For Python versions 3.12 and later, consider updating to a version where this issue is fixed, although the specific fixed version is not provided. As a temporary workaround, avoid using the filter parameter with values of "data" or "tar" when extracting untrusted tar archives with TarFile.extractall() or TarFile.extract() until a patch is available. Restrict access to untrusted tar archives to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Python versions 3.12 and later **Description** The issue allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data" when using the tarfile module to extract untrusted tar archives. This affects users of Python versions 3.12 or later, as earlier versions do not include the extraction filter feature. For Python 3.14 or later, the default value of filter changed to "data", so users relying on this new default behavior are also affected. **Recommendations** For Python versions 3.12 and later, update to a version where the issue is fixed, as the default behavior change in Python 3.14 or later may affect usage. As a temporary workaround, consider avoiding the use of the filter parameter with a value of "data" or "tar" in TarFile.extractall() or TarFile.extract() until a patch is available. Restrict access to untrusted tar archives to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** python3.9 python3.11 python3.13 **Description** When reading an HTTP response from a server, if no read amount is specified, the default behavior is to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing Out Of Memory (OOM) errors or other Denial of Service (DoS) conditions. The issue resides in the `http.client` module. **Recommendations** For python3.9, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For python3.11, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For python3.13, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** python3.9 python3.11 python3.13 **Description** The plistlib module does not properly validate the size of plist files during loading. A malicious plist file can specify a size that causes the module to attempt to allocate an excessive amount of memory, leading to an out-of-memory (OOM) condition and potential denial-of-service (DoS) issues. **Recommendations** For python3.9, avoid loading plist files from untrusted sources. For python3.11, avoid loading plist files from untrusted sources. For python3.13, avoid loading plist files from untrusted sources.

**Name of the Vulnerable Software and Affected Versions** Python versions 3.1 through 3.3 **Description** The issue allows remote attackers to obtain sensitive information, such as process memory, or cause a denial of service, resulting in memory corruption and crash, via unspecified vectors. This is due to the utf-16 decoder not updating the aligned end variable after calling the unicode decode call errorhandler function. **Recommendations** For Python versions 3.1 through 3.3, at the moment, there is no information about a newer version that contains a fix for this vulnerability.