Version 5.3.2 of the Astropy core package is vulnerable to remote code
execution due to improper input validation in the
`TranformGraph().to_dot_graph` function. A malicious user can provide a
command or a script file as a value to the `savelayout` argument, which
will be placed as the first value in a list of arguments passed to
`subprocess.Popen`. Although an error will be raised, the command or
script will be executed successfully. (CVE-2023-41334)
- https://bugs.mageia.org/show_bug.cgi?id=33369
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFGTG4EH37DFBG66DWJ2DEZNIO44D3AX/
- https://www.cve.org/CVERecord?id=CVE-2023-41334
- 9/core/python-astropy-5.1.1-1.1.mga9
Get the latest Linux and open source security news straight to your inbox.