Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-jm46-725r-hh9v] An issue was found in the CPython zipfile module... #4204

Open
wants to merge 1 commit into
base: sparrowt/advisory-improvement-4204
Choose a base branch
from
Open

[GHSA-jm46-725r-hh9v] An issue was found in the CPython zipfile module... #4204

wants to merge 1 commit into from

Conversation

sparrowt
Copy link

@sparrowt sparrowt commented Apr 3, 2024
edited

Updates

  • Affected products
  • Description
  • Summary

Comments
This PR makes a correcttion to the list of python versions which GHSA-jm46-725r-hh9v states are affected by CVE-2024-0450, for example:

(I'm unsure for earlier python versions, for example although it appears to have been backported to the 3.10 branch by python/cpython#113914 it is not yet shown on https://docs.python.org/3.10/whatsnew/changelog.html so I'm unclear on whether there is yet a released version of 3.10 with the patch or not.)

@github-actions github-actions bot changed the base branch from main to sparrowt/advisory-improvement-4204 April 3, 2024 10:19
@sparrowt
Copy link
Author

sparrowt commented Apr 3, 2024

Note: I was unable to submit the 'improve' form without selecting something under the mandatory "Affected products" field (see here for someone else hitting the same issue).

In order to proceed therefore I chose 'pip' as it was the closest thing, but clearly it is not correct - but "python" or "cpython" was not an option.

sparrowt
sparrowt commented Apr 3, 2024
View reviewed changes
advisories/unreviewed/2024/03/GHSA-jm46-725r-hh9v/GHSA-jm46-725r-hh9v.json
Comment on lines +18 to +33
{
"package": {
"ecosystem": "PyPI",
"name": ""
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unfortunately it seems I cannot edit this auto-created branch, so I'll put it here as a suggestion instead:

Suggested change
{
"package": {
"ecosystem": "PyPI",
"name": ""
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}

Removing the 'affected' details which I was forced to add (as explained here)

@sparrowt sparrowt mentioned this pull request Apr 3, 2024
Closed
@shelbyc
Copy link

shelbyc commented Apr 3, 2024

👋 Hi @sparrowt, as you discovered when submitting the improve form, advisories that appear in a reviewed state in the GitHub Advisory Database must fall under one of our supported ecosystems. https://github.com/python/cpython doesn't correspond to any packages in the pip ecosystem, so we cannot review GHSA-jm46-725r-hh9v.

However, if you have not done so already, I encourage you to contact the Python Software Foundation, the CVE Numbering Authority that issued CVE-2024-0450, with your findings and request that they amend the CVE record to include corrected vulnerable version information.

Thank you for your interest in GHSA-jm46-725r-hh9v/CVE-2024-0450.

@taladrane
Copy link
Collaborator

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@taladrane taladrane added Stale and removed Stale labels Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sparrowt @shelbyc @taladrane