Bug 2165864 (CVE-2022-40898) - CVE-2022-40898 python-wheel: remote attackers can cause denial of service via attacker controlled input to wheel cli
Summary: CVE-2022-40898 python-wheel: remote attackers can cause denial of service vi...
Keywords:
Status: NEW
Alias: CVE-2022-40898
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2178881 2178882 2165870 2178876 2178877 2178878 2178879 2178880
Blocks: 2165867
TreeView+ depends on / blocked
 
Reported: 2023-01-31 10:09 UTC by Dhananjay Arunesh
Modified: 2023-07-07 08:28 UTC (History)
5 users (show)

Fixed In Version: python-wheel 0.38.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2023-01-31 10:09:50 UTC 
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

References:
https://pypi.org/project/wheel/
https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Comment 1 Dhananjay Arunesh 2023-01-31 10:31:38 UTC 
Created python-wheel tracking bugs for this issue:

Affects: fedora-all [bug 2165870]
Comment 2 Miro Hrončok 2023-01-31 10:45:52 UTC 
From https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Who is impacted?

Wheel versions <0.38.0 when parsing a maliciously crafted Wheel file.

Patches

Wheel 0.38.0 includes the patch. After our disclosure, the maintainers acknowledged the issue, discussed a possible fix, and then applied it in 0.38.0.
Note You need to log in before you can comment on or make changes to this bug.