UbuntuUpdates.org

Package "python3.13"

Name: python3.13

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • IDE for Python (v3.13) using Tkinter
  • Testsuite for the Python standard library (v3.13)
  • Python Interpreter with complete class library (version 3.13)
  • Python interpreter linked without PIE (version 3.13)
Latest version: 3.13.3-1ubuntu0.2
Release: plucky (25.04)
Level: updates
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "python3.13" in Plucky

Repository Area Version
base main 3.13.3-1
base universe 3.13.3-1
security main 3.13.3-1ubuntu0.1
security universe 3.13.3-1ubuntu0.2
updates main 3.13.3-1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.13.3-1ubuntu0.2 2025-06-19 19:11:04 UTC

  python3.13 (3.13.3-1ubuntu0.2) plucky-security; urgency=medium

  * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper
    tar filtering.
    - debian/patches/CVE-202x-12718-4138-4x3x-4517-pre1.patch: Add additional
      tests in ./Lib/test/test_ntpath.py and ./Lib/test/test_posixpath.py.
    - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in
      ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter
      to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and
      unfiltered to ./Lib/tarfile.py. Modify tests.
    - CVE-2024-12718
    - CVE-2025-4138
    - CVE-2025-4330
    - CVE-2025-4435
    - CVE-2025-4517

 -- Hlib Korzhynskyy <email address hidden> Mon, 16 Jun 2025 15:45:32 -0230
Source diff to previous version
CVE-2024-12718 Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extrac
CVE-2025-4138 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me
CVE-2025-4330 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me
CVE-2025-4435 When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extrac
CVE-2025-4517 Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if

Version: 3.13.3-1ubuntu0.1 2025-06-16 18:07:47 UTC

  python3.13 (3.13.3-1ubuntu0.1) plucky-security; urgency=medium

  * SECURITY UPDATE: DoS via bytes.decode with unicode_escape
    - debian/patches/CVE-2025-4516.patch: fix use-after-free in the
      unicode-escape decoder with an error handler in
      Include/internal/pycore_bytesobject.h,
      Include/internal/pycore_unicodeobject.h,
      Lib/test/test_codeccallbacks.py, Lib/test/test_codecs.py,
      Objects/bytesobject.c, Objects/unicodeobject.c,
      Parser/string_parser.c.
    - CVE-2025-4516

 -- Marc Deslauriers <email address hidden> Mon, 26 May 2025 12:21:48 -0400
CVE-2025-4516 There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding


About   -   Send Feedback to @ubuntu_updates