Bug 2165864 (CVE-2022-40898) - CVE-2022-40898 python-wheel: remote attackers can cause denial of service via attacker controlled input to wheel cli
Summary: CVE-2022-40898 python-wheel: remote attackers can cause denial of service via...
Keywords:
Status: NEW
Alias: CVE-2022-40898
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2165870 2178876 2178877 2178878 2178879 2178880 2178881 2178882
Blocks: 2165867
TreeView+ depends on / blocked
 
Reported: 2023-01-31 10:09 UTC by Dhananjay Arunesh
Modified: 2025-04-11 08:09 UTC (History)
5 users (show)

Fixed In Version: python-wheel 0.38.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6800 0 None None None 2023-11-08 09:36:09 UTC
Red Hat Product Errata RHSA-2023:6712 0 None None None 2023-11-07 08:22:48 UTC
Red Hat Product Errata RHSA-2023:6793 0 None None None 2023-11-08 08:17:12 UTC
Red Hat Product Errata RHSA-2024:10761 0 None None None 2024-12-03 16:16:46 UTC

Description Dhananjay Arunesh 2023-01-31 10:09:50 UTC 
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

References:
https://pypi.org/project/wheel/
https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Comment 1 Dhananjay Arunesh 2023-01-31 10:31:38 UTC 
Created python-wheel tracking bugs for this issue:

Affects: fedora-all [bug 2165870]
Comment 2 Miro Hrončok 2023-01-31 10:45:52 UTC 
From https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Who is impacted?

Wheel versions <0.38.0 when parsing a maliciously crafted Wheel file.

Patches

Wheel 0.38.0 includes the patch. After our disclosure, the maintainers acknowledged the issue, discussed a possible fix, and then applied it in 0.38.0.
Comment 6 errata-xmlrpc 2023-11-07 08:22:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6712 https://access.redhat.com/errata/RHSA-2023:6712
Comment 7 errata-xmlrpc 2023-11-08 08:17:10 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793
Comment 8 errata-xmlrpc 2024-12-03 16:16:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10761 https://access.redhat.com/errata/RHSA-2024:10761
Note You need to log in before you can comment on or make changes to this bug.