SUSE has issued an advisory on July 11: https://lists.suse.com/pipermail/sle-updates/2024-July/035932.html The problem is fixed in versions 3.19.1 and above. The fix is: https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd Mageia 9 is also affected.
Source RPM: (none) => python-zipp-3.8.1-4.mga10.src.rpm, python-zipp-3.8.1-3.mga9.src.rpmWhiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 3.19.1 and patch available from upstream and openSUSECVE: (none) => CVE-2024-5569
Assigning to Python maintainers.
Assignee: bugsquad => python
That issue was fixed in Cauldron.
Source RPM: python-zipp-3.8.1-4.mga10.src.rpm, python-zipp-3.8.1-3.mga9.src.rpm => python-zipp-3.8.1-3.mga9.src.rpmWhiteboard: MGA9TOO => (none)Version: Cauldron => 9
Suggested advisory: ======================== The updated package fixes a security vulnerability: Denial of Service via crafted zip file in jaraco/zipp. (CVE-2024-5569) References: https://lists.suse.com/pipermail/sle-updates/2024-July/035932.html ======================== Updated package in core/updates_testing: ======================== python3-zipp-3.8.1-3.1.mga9 from SRPM: python-zipp-3.8.1-3.1.mga9.src.rpm
Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 3.19.1 and patch available from upstream and openSUSE => (none)
Assignee: python => qa-bugs
Ran into a snag on this one. Looking for a test: $ urpmq --whatrequires-recursive python3-zipp python3-autobahn+dev python3-cliff python3-importlib-metadata python3-jupyter-cache python3-myst-nb python3-osc-lib python3-pytest-checkdocs python3-rebookmaker python3-stestr python3-tempest python3-twine python3-zipp wapiti So, I thought I'd look into wapiti, seeking guidance from the Web. I learned that basically it is a tool for scanning web sites/pages to look for vulnerabilities. It's used by ethical hackers to make web sites more secure. There are a number of tutorial sites and videos available. So, I installed wapiti in a MGA9 VirtualBox guest, and tried to run the most basic command, and got this: $ wapiti -h Traceback (most recent call last): File "/usr/bin/wapiti", line 33, in <module> sys.exit(load_entry_point('wapiti3==3.0.5', 'console_scripts', 'wapiti')()) File "/usr/bin/wapiti", line 25, in importlib_load_entry_point return next(matches).load() File "/usr/lib64/python3.10/importlib/metadata/__init__.py", line 171, in load module = import_module(match.group('module')) File "/usr/lib64/python3.10/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1050, in _gcd_import File "<frozen importlib._bootstrap>", line 1027, in _find_and_load File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 688, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 883, in exec_module File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "/usr/lib/python3.10/site-packages/wapitiCore/main/wapiti.py", line 39, in <module> import browser_cookie3 File "/usr/lib/python3.10/site-packages/browser_cookie3/__init__.py", line 10, in <module> import lz4.block ModuleNotFoundError: No module named 'lz4' That is NOT the output I was supposed to get. I installed the update, with no issues, and tried again, with similar results. Either our wapiti is horribly broken, or I'm doing something horribly wrong. With less than zero experience in this area, I have no idea which is true. Since the update didn't make any real difference, I suppose I could OK it on a clean install, unless someone knows of another way to test it.
CC: (none) => andrewsfarm
Keywords: (none) => advisory
lz4 is provided by the python3-lz4 package, although it's not a dependency (Requires: or Suggests:) of the python3-browser-cookie3 package, which it looks like it should be. Someone should figure out why it's not being added automatically.
CC: (none) => dan
So, do we fix wapiti here, or do it with another bug? While you are considering the matter, I wouldn't be at all surprised if Cauldron's wapiti has the same issue. I could try installing python3-lz4 to see what happens... I think I'll save a snapshot of my mga9 guest and then give it a try.
And that brings up a new one: $ wapiti -h Traceback (most recent call last): File "/usr/bin/wapiti", line 33, in <module> sys.exit(load_entry_point('wapiti3==3.0.5', 'console_scripts', 'wapiti')()) File "/usr/bin/wapiti", line 25, in importlib_load_entry_point return next(matches).load() File "/usr/lib64/python3.10/importlib/metadata/__init__.py", line 171, in load module = import_module(match.group('module')) File "/usr/lib64/python3.10/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1050, in _gcd_import File "<frozen importlib._bootstrap>", line 1027, in _find_and_load File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 688, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 883, in exec_module File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "/usr/lib/python3.10/site-packages/wapitiCore/main/wapiti.py", line 39, in <module> import browser_cookie3 File "/usr/lib/python3.10/site-packages/browser_cookie3/__init__.py", line 14, in <module> from Crypto.Cipher import AES ModuleNotFoundError: No module named 'Crypto'
(In reply to Thomas Andrews from comment #7) > And that brings up a new one: > > $ wapiti -h > Traceback (most recent call last): > File "/usr/bin/wapiti", line 33, in <module> > sys.exit(load_entry_point('wapiti3==3.0.5', 'console_scripts', > 'wapiti')()) > File "/usr/bin/wapiti", line 25, in importlib_load_entry_point > return next(matches).load() > File "/usr/lib64/python3.10/importlib/metadata/__init__.py", line 171, in > load > module = import_module(match.group('module')) > File "/usr/lib64/python3.10/importlib/__init__.py", line 126, in > import_module > return _bootstrap._gcd_import(name[level:], package, level) > File "<frozen importlib._bootstrap>", line 1050, in _gcd_import > File "<frozen importlib._bootstrap>", line 1027, in _find_and_load > File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked > File "<frozen importlib._bootstrap>", line 688, in _load_unlocked > File "<frozen importlib._bootstrap_external>", line 883, in exec_module > File "<frozen importlib._bootstrap>", line 241, in > _call_with_frames_removed > File "/usr/lib/python3.10/site-packages/wapitiCore/main/wapiti.py", line > 39, in <module> > import browser_cookie3 > File "/usr/lib/python3.10/site-packages/browser_cookie3/__init__.py", line > 14, in <module> > from Crypto.Cipher import AES > ModuleNotFoundError: No module named 'Crypto' Can you test installing packages from bug#32584, and please open a bug for wapiti
(In reply to katnatek from comment #8) > > Can you test installing packages from bug#32584, and please open a bug for > wapiti The Princeton mirror has to catch up first. Qarepo says it's missing one of the packages from that bug. However, python3-cryptography is already installed in that guest, so my guess is that update won't make a difference. Looking at a drakrpm search, I see references to "crypto" and "Crypto" as if they are two different things.
The updates from bug 32584 made no difference, as expected. Bug 34021 now open for wapiti in Mageia 9. Cauldron probably is also affected, but I can't confirm it. With no other way that I can see to test python3-zipp, I'm OKing this on a clean install. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0066.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED