Bug 2165864 (CVE-2022-40898)

Summary: CVE-2022-40898 python-wheel: remote attackers can cause denial of service via attacker controlled input to wheel cli
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cstratak, hhorak, jorton, python-maint, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-wheel 0.38.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2178881, 2178882, 2165870, 2178876, 2178877, 2178878, 2178879, 2178880    
Bug Blocks: 2165867    

Description Dhananjay Arunesh 2023-01-31 10:09:50 UTC 
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

References:
https://pypi.org/project/wheel/
https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Comment 1 Dhananjay Arunesh 2023-01-31 10:31:38 UTC 
Created python-wheel tracking bugs for this issue:

Affects: fedora-all [bug 2165870]
Comment 2 Miro HronĨok 2023-01-31 10:45:52 UTC 
From https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Who is impacted?

Wheel versions <0.38.0 when parsing a maliciously crafted Wheel file.

Patches

Wheel 0.38.0 includes the patch. After our disclosure, the maintainers acknowledged the issue, discussed a possible fix, and then applied it in 0.38.0.