Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2025:0052-1

Опубликовано: 03 фев. 2025
Источник: suse-cvrf

Описание

Security update for python-asteval

This update for python-asteval fixes the following issues:

Update to 1.0.6:

  • drop testing and support for Python3.8, add Python 3.13, change document to reflect this.
  • implement safe_getattr and safe_format functions; fix bugs in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405, CVE-2025-24359)
  • make all procedure attributes private to curb access to AST nodes, which can be exploited
  • improvements to error messages, including use ast functions to construct better error messages
  • remove import of numpy.linalg, as documented
  • update doc description for security advisory

Update to 1.0.5:

  • more work on handling errors, including fixing #133 and adding more comprehensive tests for #129 and #132

Update to 1.0.4:

  • fix error handling that might result in null exception

Update to 1.0.3:

  • functions ('Procedures') defined within asteval have a _signature() method, now use in repr
  • add support for deleting subscript
  • nested symbol tables now have a Group() function
  • update coverage config
  • cleanups of exception handling : errors must now have an exception
  • several related fixes to suppress repeated exceptions: see GH #132 and #129
  • make non-boolean return values from comparison operators behave like Python - not immediately testing as bool

  • update to 1.0.2:

    • fix NameError handling in expression code
    • make exception messages more Python-like

  • update to 1.0.1:

    • security fixes, based on audit by Andrew Effenhauser, Ayman Hammad, and Daniel Crowley, IBM X-Force Security Research division
    • remove numpy modules polynomial, fft, linalg by default for security concerns
    • disallow string.format(), improve security of f-string evaluation

  • update to 1.0.0:

    • fix (again) nested list comprehension (Issues #127 and #126).
    • add more testing of multiple list comprehensions.
    • more complete support for Numpy 2, and removal of many Numpy symbols that have been long deprecated.
    • remove AST nodes deprecated in Python 3.8.
    • clean up build files and outdated tests.
    • fixes to codecov configuration.
    • update docs.

  • update to 0.9.33:

    • fixes for multiple list comprehensions (addressing #126)
    • add testing with optionally installed numpy_financial to CI
    • test existence of all numpy imports to better safeguard against missing functions (for safer numpy 2 transition)
    • update rendered doc to include PDF and zipped HTML

  • update to 0.9.32:

    • add deprecations message for numpy functions to be removed in numpy 2.0
    • comparison operations use try/except for short-circuiting instead of checking for numpy arrays (addressing #123)
    • add Python 3.12 to testing
    • move repository from 'newville' to 'lmfit' organization
    • update doc theme, GitHub locations pointed to by docs, other doc tweaks.

  • Update to 0.9.31:

    • cleanup numpy imports to avoid deprecated functions, add financial functions from numpy_financial module, if installed.
    • prefer 'user_symbols' when initializing Interpreter, but still support 'usersyms' argument. Will deprecate and remove eventually.
    • add support of optional (off-by default) 'nested symbol table'.
    • update tests to run most tests with symbol tables of dict and nested group type.
    • general code and testing cleanup.
    • add config argument to Interpreter to more fully control which nodes are supported
    • add support for import and importfrom -- off by default
    • add support for with blocks
    • add support for f-strings
    • add support of set and dict comprehension
    • fix bug with 'int**int' not returning a float.

  • update to 0.9.29:

    • bug fixes

  • Update to 0.9.28

    • add support for Python 3.11
    • add support for multiple list comprehensions
    • improve performance of making the initial symbol table, and Interpreter creation, including better checking for index_tricks attributes

  • update to 0.9.27:

    • more cleanups

  • update to 0.9.26:

    • fix setup.py again

  • update to 0.9.25:

    • fixes import errors for Py3.6 and 3.7, setting version with importlib_metadata.version if available.
    • use setuptools_scm and importlib for version
    • treat all dunder attributes of all objects as inherently unsafe.

  • Update to 0.9.22

    • another important but small fix for Python 3.9
    • Merge branch 'nested_interrupts_returns'

  • Drop hard numpy requirement, don't test on python36

  • update to 0.9.18

    • drop python2
    • few fixes

Список пакетов

SUSE Package Hub 15 SP6
python311-asteval-1.0.6-bp156.4.3.1
openSUSE Leap 15.6
python311-asteval-1.0.6-bp156.4.3.1

Ссылки

Описание

ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.

Затронутые продукты
SUSE Package Hub 15 SP6:python311-asteval-1.0.6-bp156.4.3.1
openSUSE Leap 15.6:python311-asteval-1.0.6-bp156.4.3.1
Ссылки
Уязвимость openSUSE-SU-2025:0052-1