USN-5138-1: python-py vulnerability

Publication date

10 November 2021

Overview

python-py could be made to crash if provided with specially crafted input.


Packages

  • python-py - Advanced Python development support library

Details

The py.path.svnwc component of py (aka python-py) through v1.9.0 contains
a regular expression with an ambiguous subpattern that is susceptible to
catastrophic backtracing. This could be used by attackers to cause a compute-time
denial of service attack by supplying malicious input to the blame functionality.

The py.path.svnwc component of py (aka python-py) through v1.9.0 contains
a regular expression with an ambiguous subpattern that is susceptible to
catastrophic backtracing. This could be used by attackers to cause a compute-time
denial of service attack by supplying malicious input to the blame functionality.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
20.04 focal pypy-py –  1.8.1-1ubuntu0.1
python3-py –  1.8.1-1ubuntu0.1
python-py –  1.8.1-1ubuntu0.1
18.04 bionic pypy-py –  1.5.2-1ubuntu0.1
python3-py –  1.5.2-1ubuntu0.1
python-py –  1.5.2-1ubuntu0.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›