2345794 – (CVE-2024-3220) CVE-2024-3220 python: Default mimetype known files writeable on Windows

Bug 2345794 (CVE-2024-3220) - CVE-2024-3220 python: Default mimetype known files writeable on Windows

Summary: CVE-2024-3220 python: Default mimetype known files writeable on Windows

Keywords:
Status:	NEW
Alias:	CVE-2024-3220
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-02-14 17:01 UTC by OSIDB Bzimport
Modified:	2025-02-17 14:10 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-02-14 17:01:31 UTC

There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type.

This defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\etc\mime.types”).

To work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations.

Note You need to log in before you can comment on or make changes to this bug.