UbuntuUpdates.org

Package "libpython3.12-stdlib"

Name: libpython3.12-stdlib

Description:

Interactive high-level object-oriented language (standard library, version 3.12)
Latest version: 3.12.3-1ubuntu0.7
Release: noble (24.04)
Level: updates
Repository: main
Head package: python3.12

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libpython3.12-stdlib"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libpython3.12-stdlib" in Noble

Repository Area Version
base main 3.12.3-1
security main 3.12.3-1ubuntu0.7

Changelog

Version: 3.12.3-1ubuntu0.7 2025-06-19 19:10:57 UTC

  python3.12 (3.12.3-1ubuntu0.7) noble-security; urgency=medium

  * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper
    tar filtering.
    - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in
      ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter
      to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and
      unfiltered to ./Lib/tarfile.py. Modify tests.
    - CVE-2024-12718
    - CVE-2025-4138
    - CVE-2025-4330
    - CVE-2025-4435
    - CVE-2025-4517

 -- Hlib Korzhynskyy <email address hidden> Wed, 18 Jun 2025 15:29:45 -0230
Source diff to previous version
CVE-2024-12718 Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extrac
CVE-2025-4138 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me
CVE-2025-4330 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me
CVE-2025-4435 When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extrac
CVE-2025-4517 Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if

Version: 3.12.3-1ubuntu0.6 2025-06-16 18:07:35 UTC

  python3.12 (3.12.3-1ubuntu0.6) noble-security; urgency=medium

  * SECURITY UPDATE: incorrect address list folding
    - debian/patches/CVE-2025-1795-2.patch: fix AttributeError in the email
      module in Lib/email/_header_value_parser.py,
      Lib/test/test_email/test__header_value_parser.py.
    - CVE-2025-1795
  * SECURITY UPDATE: DoS via bytes.decode with unicode_escape
    - debian/patches/CVE-2025-4516.patch: fix use-after-free in the
      unicode-escape decoder with an error handler in
      Include/cpython/bytesobject.h, Include/cpython/unicodeobject.h,
      Lib/test/test_codeccallbacks.py, Lib/test/test_codecs.py,
      Objects/bytesobject.c, Objects/unicodeobject.c,
      Parser/string_parser.c.
    - CVE-2025-4516

 -- Marc Deslauriers <email address hidden> Mon, 26 May 2025 14:50:19 -0400
Source diff to previous version
CVE-2025-1795 During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is a
CVE-2025-4516 There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding

Version: 3.12.3-1ubuntu0.5 2025-02-21 02:07:01 UTC

  python3.12 (3.12.3-1ubuntu0.5) noble-security; urgency=medium

  * SECURITY UPDATE: urlparse does not flag hostname with square brackets
    as incorrect
    - debian/patches/CVE-2025-0938.patch: disallow square brackets in
      domain names for parsed URLs in Lib/test/test_urlparse.py,
      Lib/urllib/parse.py.
    - CVE-2025-0938

 -- Marc Deslauriers <email address hidden> Tue, 04 Feb 2025 09:48:35 -0500
Source diff to previous version
CVE-2025-0938 The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid ac

Version: 3.12.3-1ubuntu0.4 2025-01-20 19:07:06 UTC

  python3.12 (3.12.3-1ubuntu0.4) noble-security; urgency=medium

  * SECURITY UPDATE: memory exhaustion issue in asyncio
    - debian/patches/CVE-2024-12254.patch: ensure to pause the protocol if
      needed in Lib/asyncio/selector_events.py,
      Lib/test/test_asyncio/test_selector_events.py.
    - CVE-2024-12254

 -- Marc Deslauriers <email address hidden> Fri, 17 Jan 2025 13:03:48 -0500
Source diff to previous version
CVE-2024-12254 Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain t

Version: 3.12.3-1ubuntu0.3 2024-11-19 18:06:56 UTC

  python3.12 (3.12.3-1ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: incorrect quoting in venv module
    - debian/patches/CVE-2024-9287.patch: quote template strings in venv
      activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,
      Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,
      Lib/venv/scripts/posix/activate.csh,
      Lib/venv/scripts/posix/activate.fish.
    - CVE-2024-9287

 -- Marc Deslauriers <email address hidden> Wed, 06 Nov 2024 13:32:19 -0500
CVE-2024-9287 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted pro


About   -   Send Feedback to @ubuntu_updates