Bug#1080245: marked as done (python3.11: zipfile.Path regression introduced by CVE-2024-8088 fix)

[Debian Bug Tracking System]

Your message dated Thu, 10 Oct 2024 16:32:08 +0000
with message-id <e1syw5a-00160g...@fasolo.debian.org>
and subject line Bug#1080245: fixed in python3.11 3.11.2-6+deb12u4
has caused the Debian Bug report #1080245,
regarding python3.11: zipfile.Path regression introduced by CVE-2024-8088 fix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1080245: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080245
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: python3.11
Version: 3.11.2-6+deb12u3
Severity: important
Forwarded: https://github.com/python/cpython/issues/123270
X-Debbugs-Cc: t...@security.debian.org

Dear security team,

python3.11 3.11.2-6+deb12u3 and especifically the CVE-2024-8088 introduced a
regression in zipfile.Path. This has been reported upstream at:
https://github.com/python/cpython/issues/123270.

I have confirmed the change in behaviour described at:
https://github.com/python/cpython/issues/123270#issuecomment-2307711914
between 3.11.2-6+deb12u2 and 3.11.2-6+deb12u3.

Cheers,

-- System Information:
Debian Release: 12.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'oldstable-security'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-23-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- no debconf information

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: python3.11
Source-Version: 3.11.2-6+deb12u4
Done: Santiago Ruano Rincón <santiag...@riseup.net>

We believe that the bug you reported is fixed in the latest version of
python3.11, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1080...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Ruano Rincón <santiag...@riseup.net> (supplier of updated python3.11 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 Sep 2024 00:00:30 -0300
Source: python3.11
Architecture: source
Version: 3.11.2-6+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Matthias Klose <d...@debian.org>
Changed-By: Santiago Ruano Rincón <santiag...@riseup.net>
Closes: 1080245
Changes:
 python3.11 (3.11.2-6+deb12u4) bookworm; urgency=medium
 .
   * Fix zipfile.Path regression introduced by 3.11.2-6+deb12u3
     (Closes: 1080245)
   * Fix CVE-2024-6232: Regular expressions that allowed excessive backtracking
     during tarfile.TarFile header parsing are vulnerable to ReDoS via
     specifically-crafted tar archives
Checksums-Sha1:
 438f12c71ea1585ef3ca084dd084f4e963d13416 3038 python3.11_3.11.2-6+deb12u4.dsc
 ca72de7308c395e25cd10633c763beb1241b83e9 234696 
python3.11_3.11.2-6+deb12u4.debian.tar.xz
 8a60f1b179afe640e1bf1cadf5e1fb9ec5d11bda 15482 
python3.11_3.11.2-6+deb12u4_amd64.buildinfo
Checksums-Sha256:
 e8e7d82e32e667e9aac3c9b17f65fd7544faf0f68b115893c9983070ff92f33b 3038 
python3.11_3.11.2-6+deb12u4.dsc
 4091c337a85742825c074f6111733eea0305c82b085fa57646dab5572f70f90f 234696 
python3.11_3.11.2-6+deb12u4.debian.tar.xz
 8937896f426b3f8e608f8eaa53da31334eb7de03668889ed985b559f3bc77537 15482 
python3.11_3.11.2-6+deb12u4_amd64.buildinfo
Files:
 2fd900f7bdb19c5ae4cbcadfa8bc210a 3038 python optional 
python3.11_3.11.2-6+deb12u4.dsc
 a75b8a9a23cd87afbbb23c5d135ec61b 234696 python optional 
python3.11_3.11.2-6+deb12u4.debian.tar.xz
 89f92f38a40e8262b3e4d9dc78657d98 15482 python optional 
python3.11_3.11.2-6+deb12u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZvlhnwAKCRAn3j1FEEiG
791mAP0UulR76MAwuKOeeo+2PKZkwg22dXPzoHhAlP5SLBDXOgD7B/se8PkMgwDD
Pp15USKVZsPYFQnQTEWZY8Xe5Boh+QY=
=PD4D
-----END PGP SIGNATURE-----

pgpGJN0zaRWIj.pgp
Description: PGP signature

--- End Message ---