Headline
Debian Security Advisory 5763-1
Debian Linux Security Advisory 5763-1 - William Khem-Marquez discovered that Pymatgen, a Python library for materials analysis, could be tricked into running arbitrary code if a malformed CIF file is processed.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5763-1 [email protected]://www.debian.org/security/ Moritz MuehlenhoffAugust 30, 2024 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : pymatgenCVE ID : CVE-2024-23346William Khem-Marquez discovered that Pymatgen, a Python library formaterials analysis, could be tricked into running arbitrary code if amalformed CIF file is processed.For the stable distribution (bookworm), this problem has been fixed inversion 2022.11.7+dfsg1-11+deb12u1.We recommend that you upgrade your pymatgen packages.For the detailed security status of pymatgen please refer toits security tracker page at:https://security-tracker.debian.org/tracker/pymatgenFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbSCEcACgkQEMKTtsN8TjaJDxAAke20viDFhNtKyuwC3JuvZHI5Ql0l+4vS0HmHvAQcaV7JVMtnUWpmMHuC/xK6gqhPzfubWnvOBjXCgxSR6ubE+eY68WXiWQ4qPs96lHgZyAZOpbPbgrlBW+igYGtBfT9MJMwcWbXNlAHdfWxWA+DQrnEFB/TuYA9UgN1qINBkvQxiRwPFvATX00S3ds31Noic3as8OmaWEpG+xcLVLwrX5/UCz7csmkvUjRYf1oqtTQH2SlAlHAX5i55TmL0MbK39JuVD3CxSBH4OH7f6PastJFoVUIx6c3ZDrxZPZZ1wNSdaLdGYVCUF6DihZR/5LkjH5MmRBq0ZCQSLq4AWLjcKRsJnhu0soVXfI7yn3oc58yqqG3ruqjIlrbhFZkm5Fj7jeNuX+aSEFw4vd1bHwGCO7g+EAbQ4MWYYP0EsyXtN5X3O/v4MgkF4WK1To+TqG+SjB7hwV7Crdui0Iv89eZCGfsMnpRWvXwdnzOIfjgPBWXQkgPqDEDj8q4LkpQGdy/gCr772I79hkuqH0AhpzWZmSlwGU5NRBu09OAiVxXADScMfyggsteWriSBPv+zkZb4s+c8zNUjVdO4mcJIsOaT0FLncj4gUS0Eo5/vsb1QZMEsznp8Lrru1PAKKUvpYhzxoK/Y5ecovFFkHnXIc0qPhPOlvSpxpAURr5l2PEiALQNI==ZU7M-----END PGP SIGNATURE-----Related news
### Summary A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. This can be exploited when parsing a maliciously-created CIF file. ### Details The cause of the vulnerability is in [pymatgen/symmetry/settings.py#L97C1-L111C108](https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108). The flawed code segment involves a regular expression operation followed by the use of `eval()`. #### Vulnerable code ```py basis_change = [ re.sub(r"(?<=\w|\))(?=\() | (?<=\))(?=\w) | (?<=(\d|a|b|c))(?=([abc]))", r"*", string, flags=re.X) for string in basis_change ] """snip""" ([eval(x, {"__builtins__": None}, {"a": a, "b": b, "c": c}) for x in basis_change]) ``` The use of eval, even with `__builtins__` set to `None`, is still a sec...