Bug 34285 - python3 new security issues CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-8194
Summary: python3 new security issues CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 34007
  Show dependency treegraph
 
Reported: 2025-05-19 09:40 CEST by Nicolas Salguero
Modified: 2025-11-12 22:36 CET (History)
2 users (show)

See Also:
Source RPM: python3-3.10.11-1.3.mga9.src.rpm
CVE: CVE-2025-0938, CVE-2025-1795, CVE-2024-9287, CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-8194
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-05-19 09:40:48 CEST 
CVE-2025-4516 was announced here:
https://www.openwall.com/lists/oss-security/2025/05/16/4
Nicolas Salguero 2025-05-19 09:42:03 CEST

Source RPM: (none) => python3-3.13.3-1.mga10.src.rpm, python3-3.10.11-1.3.mga9.src.rpm
CVE: (none) => CVE-2025-4516
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2025-05-19 21:23:53 CEST 
https://www.openwall.com/lists/oss-security/2025/05/16/4
 https://github.com/python/cpython/pull/129648
  https://github.com/python/cpython/pull/129648/commits/be5d80cec9650a9ea252537d5050fa9f984c486f

The last is a patch - rather big; but it says at the top 3 commits.

Assignee: bugsquad => python

Comment 2 Nicolas Salguero 2025-05-23 10:25:20 CEST 
python3-3.13.3-2.mga10 solves that issue for Cauldron.

Whiteboard: MGA9TOO => (none)
Source RPM: python3-3.13.3-1.mga10.src.rpm, python3-3.10.11-1.3.mga9.src.rpm => python3-3.10.11-1.3.mga9.src.rpm
Version: Cauldron => 9

Comment 3 Nicolas Salguero 2025-06-13 15:43:59 CEST 
Fedora has issued an advisory on June 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUW6UXZQE7B4PPK3PK3NZAWP5PVOU5L3/

All those CVEs are fixed in 3.13.4 so only Mageia 9 is affected.

CVE: CVE-2025-4516 => CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517
Summary: python3 new security issue CVE-2025-4516 => python3 new security issues CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517

Comment 4 Nicolas Salguero 2025-06-24 10:02:30 CEST 
Another reference:
https://www.openwall.com/lists/oss-security/2025/06/24/1
Comment 5 Nicolas Salguero 2025-08-27 13:29:44 CEST 
CVE-2025-8194 was announced here: https://www.openwall.com/lists/oss-security/2025/07/28/1

CVE: CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517 => CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-8194
Summary: python3 new security issues CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517 => python3 new security issues CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-8194

Nicolas Salguero 2025-11-10 10:51:17 CET

Blocks: (none) => 34007

Comment 6 Nicolas Salguero 2025-11-10 11:32:40 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

URL parser allowed square brackets in domain names. (CVE-2025-0938)

Mishandling of comma during folding and unicode-encoding of email headers. (CVE-2025-1795)

Virtual environment (venv) activation scripts don't quote paths. (CVE-2024-9287)

Use-after-free in "unicode_escape" decoder with error handler. (CVE-2025-4516)

Bypass extraction filter to modify file metadata outside extraction directory. (CVE-2024-12718)

Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory. (CVE-2025-4138)

Extraction filter bypass for linking outside extraction directory. (CVE-2025-4330)

Tarfile extracts filtered members when errorlevel=0. (CVE-2025-4435)

Arbitrary writes via tarfile realpath overflow. (CVE-2025-4517)

Tarfile infinite loop during parsing with negative member offset. (CVE-2025-8194)

References:
https://bugs.mageia.org/show_bug.cgi?id=34007
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FRAYUVWW2DYX7RTRPVFLFADRHABRVQN/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NNC4GZYGFZ76A7NUZ5BG2CMGVR32LXCG/
https://ubuntu.com/security/notices/USN-7488-1
https://www.openwall.com/lists/oss-security/2025/05/16/4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUW6UXZQE7B4PPK3PK3NZAWP5PVOU5L3/
https://www.openwall.com/lists/oss-security/2025/06/24/1
https://www.openwall.com/lists/oss-security/2025/07/28/1
========================

Updated packages in core/updates_testing:
========================
lib(64)python3-devel-3.10.18-1.4.mga9
lib(64)python3.10-3.10.18-1.4.mga9
lib(64)python3.10-stdlib-3.10.18-1.4.mga9
lib(64)python3.10-testsuite-3.10.18-1.4.mga9
python3-3.10.18-1.4.mga9
python3-docs-3.10.18-1.4.mga9
tkinter3-3.10.18-1.4.mga9
tkinter3-apps-3.10.18-1.4.mga9

from SRPM:
python3-3.10.18-1.4.mga9.src.rpm

CVE: CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-8194 => CVE-2025-0938, CVE-2025-1795, CVE-2024-9287, CVE-2025-4516, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-8194
Status: NEW => ASSIGNED
Assignee: python => qa-bugs

katnatek 2025-11-11 00:27:37 CET

Keywords: (none) => advisory

Comment 7 katnatek 2025-11-12 03:43:04 CET 
installing lib64python3.10-stdlib-3.10.18-1.4.mga9.x86_64.rpm lib64python3.10-3.10.18-1.4.mga9.x86_64.rpm tkinter3-3.10.18-1.4.mga9.x86_64.rpm python3-3.10.18-1.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ####################################################################################################
      1/4: python3               ####################################################################################################
      2/4: lib64python3.10       ####################################################################################################
      3/4: lib64python3.10-stdlib
                                 ####################################################################################################
      4/4: tkinter3              ####################################################################################################
      1/4: removing tkinter3-3.10.11-1.3.mga9.x86_64
                                 ####################################################################################################
      2/4: removing lib64python3.10-stdlib-3.10.11-1.3.mga9.x86_64
                                 ####################################################################################################
      3/4: removing python3-3.10.11-1.3.mga9.x86_64
                                 ####################################################################################################
      4/4: removing lib64python3.10-3.10.11-1.3.mga9.x86_64
                                 ####################################################################################################

LC_ALL=C urpmi python3-pyparsing
Package python3-pyparsing-3.0.9-2.mga9.noarch is already installed

 python3 /usr/share/doc/python3-pyparsing/examples/SimpleCalc.py
Type in the string to be parsed or 'quit' to exit the program
>4-5
-1
> 200/3
66.66666666666667
> 5^2
25

Looks good to me

Whiteboard: (none) => MGA9-64-OK

Comment 8 Thomas Andrews 2025-11-12 19:22:57 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Mageia Robot 2025-11-12 22:36:01 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0280.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.