Your message dated Thu, 13 Feb 2025 06:52:32 +0100
with message-id <z62iopjxm-rs-...@eldamar.lan>
and subject line [ftpmas...@ftp-master.debian.org: Accepted python-asteval
1.0.6-1 (source) into experimental]
has caused the Debian Bug report #1095031,
regarding python-asteval: CVE-2025-24359
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1095031: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095031
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-asteval
Version: 0.9.31-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-asteval.
CVE-2025-24359[0]:
| ASTEVAL is an evaluator of Python expressions and statements. Prior
| to version 1.0.6, if an attacker can control the input to the
| `asteval` library, they can bypass asteval's restrictions and
| execute arbitrary Python code in the context of the application
| using the library. The vulnerability is rooted in how `asteval`
| performs handling of `FormattedValue` AST nodes. In particular, the
| `on_formattedvalue` value uses the dangerous format method of the
| str class. The code allows an attacker to manipulate the value of
| the string used in the dangerous call `fmt.format(__fstring__=val)`.
| This vulnerability can be exploited to access protected attributes
| by intentionally triggering an `AttributeError` exception. The
| attacker can then catch the exception and use its `obj` attribute to
| gain arbitrary access to sensitive or protected object properties.
| Version 1.0.6 fixes this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-24359
https://www.cve.org/CVERecord?id=CVE-2025-24359
[1] https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-asteval
Source-Version: 1.0.6-1
----- Forwarded message from Debian FTP Masters
<ftpmas...@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Feb 2025 15:57:45 +1100
Source: python-asteval
Architecture: source
Version: 1.0.6-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Science Maintainers
<debian-science-maintain...@lists.alioth.debian.org>
Changed-By: Stuart Prescott <stu...@debian.org>
Changes:
python-asteval (1.0.6-1) experimental; urgency=medium
.
* Team upload.
* New upstream release.
* Change upstream source to original github.com/lmfit/asteval.
* Build using pyproject.toml.
* Fix typos in package long description.
* Fix autopkgtest to use pytest.
* Update Standards-Version to 4.7.0 (no changes required).
Checksums-Sha1:
083d57a3cdbe519203ba847e08d89f759aa9991d 2340 python-asteval_1.0.6-1.dsc
6e593f281554d257dc72002e823de588431745a7 47849 python-asteval_1.0.6.orig.tar.gz
b6d6a740c443ac647b2de3d4710297c2d7bd9dd3 4036
python-asteval_1.0.6-1.debian.tar.xz
26b5c50324d8252ab2ddfab63349dcaf96f19ac1 8481
python-asteval_1.0.6-1_amd64.buildinfo
Checksums-Sha256:
b326055f51229fc8aa0235f0e4d27a21f224ace5b7c87530e07f0c85ecf8a6fe 2340
python-asteval_1.0.6-1.dsc
204d8c2017db316d13a974a58181e538192675149c28d0bb3289f8118476170c 47849
python-asteval_1.0.6.orig.tar.gz
ba464d69e791c7e009386a05c49255176bf4408820466d85472cd08413a5d2ed 4036
python-asteval_1.0.6-1.debian.tar.xz
5ec59278715737dd62f95c10b97d0db33c359326530d085636589058b3bd7062 8481
python-asteval_1.0.6-1_amd64.buildinfo
Files:
cef626a7590af1b835e89849cc050143 2340 python optional
python-asteval_1.0.6-1.dsc
a8887739a146839107c3b1fc77e2601d 47849 python optional
python-asteval_1.0.6.orig.tar.gz
1f52b1c04c010cba00aac9b74d224678 4036 python optional
python-asteval_1.0.6-1.debian.tar.xz
b156ad91138daad7570a4c0a4029f337 8481 python optional
python-asteval_1.0.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEkOLSwa0Uaht+u4kdu8F+uxOW8vcFAmeoNv8ACgkQu8F+uxOW
8vdC/xAAr/pf6R0AY0paIrYZxyCF3nSroYJL/Shj6Kq0mYIJaHBVk7E2B96UMWq2
bE9EU1MbkSe+e+MDTEgLcQ72JWBpLS7o2WMmy3sr4V21XeDINEg6uA8HoysNjc5B
Qi+WQVVaLBufgOPm+LNtLVTBzg+FGP96yvyYcSMz8uQf2wb8rOHiOV/1Gchx65lz
WL94XKqCePVSDLlzUJytF9Px9DVrlvIuRYg7z02tLXx7upf1cxN/HmXYUQtOJG70
b7m+I/5AcVhWfdpan1G/Y73hdGIUKfIm3vR/uYlep4w392RWp3qTHlA+UugHZTdi
GUIXu0+mezu8UtEhQgjsFsremalflmVwvgKN1GuR1rwGkiUfub4ngnEMlIpvh8ew
gGehX72xisoVP85rctdd50AqHuF6TdTxrUUwfXGauPo7V68AbG4prrqlN7+A8sP7
PAwtge3dGbk2Y1WlS4r8RNvNIROnEQu4NAdL1PdL1Ix4YfE5+om6ruJya8TaZs13
rWb3pqtU8DI/ye8Mu/cwPQBrQTuSmdTSMR4KJS/6Nks1ofpA/qBlVxcPNlaLE4bj
ZyrVMLR+W/eXPCwBmAG2eDea/Q4HRpQmQdX8RAHo/vFtgjK4mHpqC0WeR4QRme+S
3tiqwF2kU+tlYkGImWNmIBoYQNe9Hpk8O60BasRfFwcUXe4uHEs=
=5p7+
-----END PGP SIGNATURE-----
----- End forwarded message -----
--- End Message ---
--
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
