Anolis OS update for python3
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2007-4559 CVE-2001-1267 |
| CWE-ID | CWE-22 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system python3-tkinter Operating systems & Components / Operating system package or component python3-test Operating systems & Components / Operating system package or component python3-libs Operating systems & Components / Operating system package or component python3-idle Operating systems & Components / Operating system package or component platform-python-devel Operating systems & Components / Operating system package or component platform-python-debug Operating systems & Components / Operating system package or component platform-python Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU67583
Risk: High
CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2007-4559
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The
vulnerability exists due to improper validation of filenames in the
tarfile module in Python. A remote attacker can
create a specially crafted archive with symbolic links inside or
filenames that contain directory traversal characters (e.g. "..") and
overwrite arbitrary files on the system.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
python3-tkinter: before 3.6.8-56.0.1
python3-test: before 3.6.8-56.0.1
python3-libs: before 3.6.8-56.0.1
python3-idle: before 3.6.8-56.0.1
platform-python-devel: before 3.6.8-56.0.1
platform-python-debug: before 3.6.8-56.0.1
platform-python: before 3.6.8-56.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:python3-tkinter:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:python3-test:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:python3-libs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:python3-idle:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:platform-python-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:platform-python-debug:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:platform-python:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0123
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Path traversal
EUVDB-ID: #VU93014
Risk: High
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2001-1267
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick the victim to open a specially crafted archive and overwrite arbitrary files on the system.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
python3-tkinter: before 3.6.8-56.0.1
python3-test: before 3.6.8-56.0.1
python3-libs: before 3.6.8-56.0.1
python3-idle: before 3.6.8-56.0.1
platform-python-devel: before 3.6.8-56.0.1
platform-python-debug: before 3.6.8-56.0.1
platform-python: before 3.6.8-56.0.1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:python3-tkinter:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:python3-test:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:python3-libs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:python3-idle:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:platform-python-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:platform-python-debug:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:platform-python:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0123
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
