Headline
Ubuntu Security Notice USN-6906-1
Ubuntu Security Notice 6906-1 - It was discovered that python-zipp did not properly handle the zip files with malformed names. An attacker could possibly use this issue to cause a denial of service.
==========================================================================
Ubuntu Security Notice USN-6906-1
July 24, 2024
python-zipp vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
python-zipp could be made to crash if certain zip files are used.
Software Description:
- python-zipp: pathlib-compatible Zipfile object wrapper - Python 3.x
Details:
It was discovered that python-zipp did not properly handle the zip files
with malformed names. An attacker could possibly use this issue to cause a
denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-zipp 1.0.0-6ubuntu0.1
Ubuntu 22.04 LTS
python3-zipp 1.0.0-3ubuntu0.1
Ubuntu 20.04 LTS
pypy-zipp 1.0.0-1ubuntu0.1
python-zipp 1.0.0-1ubuntu0.1
python3-zipp 1.0.0-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6906-1
CVE-2024-5569
Package Information:
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-6ubuntu0.1
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-1ubuntu0.1
Related news
Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.
Red Hat Security Advisory 2024-8232-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.