Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Mageia 9: MGASA-2024-0313 moderate: python-astropy remote code execution

mageia
Calendar Grey September 25, 2024
Dist Mageia Esm H88
Mageia 2024-0313 upgrades python-astropy addressing a critical security vulnerability. Essential information enclosed.
Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function

Summary

Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. (CVE-2023-41334)

References

- https://bugs.mageia.org/show_bug.cgi?id=33369

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFGTG4EH37DFBG66DWJ2DEZNIO44D3AX/

- https://www.cve.org/CVERecord?id=CVE-2023-41334

Resolution

SRPMS

- 9/core/python-astropy-5.1.1-1.1.mga9

Publication date: 25 Sep 2024
URL: https://advisories.mageia.org/MGASA-2024-0313.html
Type: security
CVE: CVE-2023-41334

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here