[Git][security-tracker-team/security-tracker][master] Clarify the status of CVE-2022-42919 in python3.7 and pypy3

Santiago R.R. (@santiago) santiago at debian.org
Sat Dec 14 18:44:14 GMT 2024



Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1d6373cd by Santiago Ruano Rincón at 2024-12-14T15:43:29-03:00
Clarify the status of CVE-2022-42919 in python3.7 and pypy3

As described in the notes, CVE-2022-42919 is present in python3.7, but
it is difficult to exploit. So <ignored> is more accurate and safer than
<not-affected>. Similar classification can be done to pypy3 for bullseye
and buster.

This change also includes the related pypy3 commit, than introduced and
fixed the issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -179712,15 +179712,17 @@ CVE-2022-42919 (Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux all
 	- python3.10 3.10.8-2
 	- python3.9 <removed>
 	- python3.7 <removed>
-	[buster] - python3.7 <not-affected> (Vulnerable functionality backported later in 3.7.8)
+	[buster] - python3.7 <ignored> (The issue is complex to trigger before 3.7.8)
 	- python2.7 <not-affected> (Vulnerable code introduced later)
 	- pypy3 7.3.11+dfsg-1
-	[bullseye] - pypy3 <not-affected> (Vulnerable functionality ported from cpython later in 7.3.8)
-	[buster] - pypy3 <not-affected> (Vulnerable code introduced later)
+	[bullseye] - pypy3 <ignored> (The issue is complex to trigger before 7.3.8)
+	[buster] - pypy3 <ignored> (The issue is complex to trigger before 7.3.8)
 	NOTE: https://github.com/python/cpython/issues/97514
 	NOTE: https://github.com/python/cpython/commit/4686d77a04570a663164c03193d9def23c89b122 (3.11-branch)
 	NOTE: https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2 (3.10-branch)
 	NOTE: https://github.com/python/cpython/commit/b43496c01a554cf41ae654a0379efae18609ad39 (3.9-branch)
+	NOTE: Introduced in pypy3 by: https://github.com/pypy/pypy/commit/0a83d30478b34c4efd9486dbf6ae8bdf9807f136 (release-pypy3.9-v7.3.8rc1)
+	NOTE: Fixed in pypy3 by: https://github.com/pypy/pypy/commit/f2618dff16cc9ac06413633533b60b4f0a02aa0d (release-pypy3.9-v7.3.10rc1)
 	NOTE: The patch for 3.9 and later only removes the default preference for abstract sockets which
 	NOTE: prevents CVE-2022-42919. Versions 3.8.4 and 3.7.8 are not vulnerable by default (but issue present)
 	NOTE: though users would need to make specific uncommon multiprocessing API calls specifying their own



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d6373cd8c66ff33de49abecd599b60936389bd3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d6373cd8c66ff33de49abecd599b60936389bd3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241214/834f342d/attachment.htm>


More information about the debian-security-tracker-commits mailing list