[Bug 1206141] New: VUL-0: CVE-2022-44900: python-py7zr: directory traversal vulnerability in the SevenZipFile.extractall()
http://bugzilla.opensuse.org/show_bug.cgi?id=1206141 Bug ID: 1206141 Summary: VUL-0: CVE-2022-44900: python-py7zr: directory traversal vulnerability in the SevenZipFile.extractall() Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://smash.suse.de/issue/349934/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: code@bnavigator.de Reporter: thomas.leroy@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2022-44900 A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44900 https://www.cve.org/CVERecord?id=CVE-2022-44900 https://github.com/miurahr/py7zr/commit/1bb43f17515c7f69673a1c88ab9cc72a7bbe... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206141 http://bugzilla.opensuse.org/show_bug.cgi?id=1206141#c1 --- Comment #1 from Thomas Leroy <thomas.leroy@suse.com> --- openSUSE:Factory should be affected -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206141 http://bugzilla.opensuse.org/show_bug.cgi?id=1206141#c2 Benjamin Greiner <code@bnavigator.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS CC| |ecsos@schirra.net --- Comment #2 from Benjamin Greiner <code@bnavigator.de> --- Updating py7zr had been deferred because the new versions require many more packages and calibre is the only consumer. (See https://build.opensuse.org/request/show/989252) But with the CVE, we can no longer wait. Submit request is here: https://build.opensuse.org/request/show/1044074 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206141 http://bugzilla.opensuse.org/show_bug.cgi?id=1206141#c3 --- Comment #3 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1206141) was mentioned in https://build.opensuse.org/request/show/1044224 Factory / python-py7zr -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206141 http://bugzilla.opensuse.org/show_bug.cgi?id=1206141#c4 Benjamin Greiner <code@bnavigator.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #4 from Benjamin Greiner <code@bnavigator.de> --- v0.20.2 is in Factory -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com