[GHSA-jm46-725r-hh9v] An issue was found in the CPython zipfile module...

[sparrowt]

Updates

• Affected products
• Description
• Summary

Comments
This PR makes a correcttion to the list of python versions which GHSA-jm46-725r-hh9v states are affected by CVE-2024-0450, for example:

• CPython 3.11.8 is not vulnerable to this as the fix was backported to 3.11 by [3.11] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) python/cpython#113913 and gh-109858 is listed as fixed in the python 3.11.8 release notes at https://docs.python.org/3.11/whatsnew/changelog.html#python-3-11-8-final
• CPython 3.12.2 is not vulnerable to this either, see gh-109858 on https://docs.python.org/3.12/whatsnew/changelog.html#python-3-12-2-final

(I'm unsure for earlier python versions, for example although it appears to have been backported to the 3.10 branch by python/cpython#113914 it is not yet shown on https://docs.python.org/3.10/whatsnew/changelog.html so I'm unclear on whether there is yet a released version of 3.10 with the patch or not.)

[sparrowt]

Note: I was unable to submit the 'improve' form without selecting something under the mandatory "Affected products" field (see here for someone else hitting the same issue).

In order to proceed therefore I chose 'pip' as it was the closest thing, but clearly it is not correct - but "python" or "cpython" was not an option.

[sparrowt]

unfortunately it seems I cannot edit this auto-created branch, so I'll put it here as a suggestion instead:

Suggested change

	{
	"package": {
	"ecosystem": "PyPI",
	"name": ""
	},
	"ranges": [
	{
	"type": "ECOSYSTEM",
	"events": [
	{
	"introduced": "0"
	}
	]
	}
	]
	}

Removing the 'affected' details which I was forced to add (as explained here)

[shelbyc]

👋 Hi @sparrowt, as you discovered when submitting the improve form, advisories that appear in a reviewed state in the GitHub Advisory Database must fall under one of our supported ecosystems. https://github.com/python/cpython doesn't correspond to any packages in the pip ecosystem, so we cannot review GHSA-jm46-725r-hh9v.

However, if you have not done so already, I encourage you to contact the Python Software Foundation, the CVE Numbering Authority that issued CVE-2024-0450, with your findings and request that they amend the CVE record to include corrected vulnerable version information.

Thank you for your interest in GHSA-jm46-725r-hh9v/CVE-2024-0450.

[taladrane]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[taladrane]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.