Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (8)
| Vulnerability |
Summary |
Aliases |
|
VCID-1uk5-6yqb-dyb5
|
cpython: Out-of-memory when loading Plist
|
CVE-2025-13837
|
|
VCID-5maz-1h1k-3qfj
|
Multiple vulberabilities have been discovered in Python and PyPy, the worst of which can lead to privilege escalation.
|
CVE-2025-4516
|
|
VCID-8dtv-379a-wqfs
|
cpython: Excessive read buffering DoS in http.client
|
CVE-2025-13836
|
|
VCID-emaw-jmek-9bcy
|
cpython: Python HTMLParser quadratic complexity
|
CVE-2025-6069
|
|
VCID-ewbq-2gm8-tyf5
|
Buffer overflow in sponge queue functions
### Impact
The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more.
### Patches
Yes, see commit [fdc6fef0](https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a).
### Workarounds
The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to retain the original functionality. Alternatively, one can process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether.
### References
See [issue #105](https://github.com/XKCP/XKCP/issues/105) for more details.
|
CVE-2022-37454
GHSA-6w4m-2xhg-2658
|
|
VCID-fcsb-dn49-47gy
|
python: Quadratic complexity in os.path.expandvars() with user-controlled template
|
CVE-2025-6075
|
|
VCID-mtk7-qut6-syd8
|
cpython: Cpython infinite loop when parsing a tarfile
|
CVE-2025-8194
|
|
VCID-znkr-fxtj-4uc7
|
cpython: python: Python zipfile End of Central Directory (EOCD) Locator record offset not checked
|
CVE-2025-8291
|