[USN-5138-1] python-py vulnerability

Ian Constantin ian.constantin at canonical.com
Thu Nov 11 04:33:22 UTC 2021


==========================================================================
Ubuntu Security Notice USN-5138-1
November 10, 2021

python-py vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

python-py could be made to crash if provided with specially crafted input.

Software Description:
- python-py: Advanced Python development support library

Details:

The py.path.svnwc component of py (aka python-py) through v1.9.0 
contains a regular expression with an ambiguous subpattern that is 
susceptible to catastrophic backtracing. This could be used by attackers 
to cause a compute-time denial of service attack by supplying malicious 
input to the blame functionality.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
   pypy-py                        1.8.1-1ubuntu0.1
   python-py                      1.8.1-1ubuntu0.1
   python3-py                     1.8.1-1ubuntu0.1

Ubuntu 18.04 LTS:
   pypy-py                        1.5.2-1ubuntu0.1
   python-py                      1.5.2-1ubuntu0.1
   python3-py                     1.5.2-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-5138-1
   CVE-2020-29651

Package Information:
   https://launchpad.net/ubuntu/+source/python-py/1.8.1-1ubuntu0.1
   https://launchpad.net/ubuntu/+source/python-py/1.5.2-1ubuntu0.1



More information about the ubuntu-security-announce mailing list