From b4c0935dae871627ebfc28626635340776d9affd Mon Sep 17 00:00:00 2001 From: sethmlarson <18519037+sethmlarson@users.noreply.github.com> Date: Wed, 24 Jun 2026 00:36:38 +0000 Subject: [PATCH] Update OSV records from CVE --- advisories/python/PSF-0000-CVE-2026-0864.json | 49 +++++++++++++ .../python/PSF-0000-CVE-2026-11940.json | 70 +++++++++++++++++++ .../python/PSF-0000-CVE-2026-11972.json | 42 +++++++++++ 3 files changed, 161 insertions(+) create mode 100644 advisories/python/PSF-0000-CVE-2026-0864.json create mode 100644 advisories/python/PSF-0000-CVE-2026-11940.json create mode 100644 advisories/python/PSF-0000-CVE-2026-11972.json diff --git a/advisories/python/PSF-0000-CVE-2026-0864.json b/advisories/python/PSF-0000-CVE-2026-0864.json new file mode 100644 index 0000000..6c33be7 --- /dev/null +++ b/advisories/python/PSF-0000-CVE-2026-0864.json @@ -0,0 +1,49 @@ +{ + "schema_version": "1.5.0", + "id": "PSF-0000-CVE-2026-0864", + "aliases": [ + "CVE-2026-0864" + ], + "published": "2026-06-23T17:42:01.947Z", + "modified": "2026-06-23T18:34:49.788Z", + "details": "When using the \"configparser\" module to write configuration files\ncontaining multi-line text values with carriage return characters (\\r) the\nresulting file could be injected with unexpected keys and values if the\nattacker controls the written value.", + "affected": [ + { + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5858e42c539dac8394636a6e9b30472b8994851f" + } + ], + "repo": "https://github.com/python/cpython" + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/python/cpython/pull/151559" + }, + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/" + }, + { + "type": "REPORT", + "url": "https://github.com/python/cpython/issues/143927" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f" + } + ], + "database_specific": { + "cwe_ids": [] + } +} \ No newline at end of file diff --git a/advisories/python/PSF-0000-CVE-2026-11940.json b/advisories/python/PSF-0000-CVE-2026-11940.json new file mode 100644 index 0000000..7f646f1 --- /dev/null +++ b/advisories/python/PSF-0000-CVE-2026-11940.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.5.0", + "id": "PSF-0000-CVE-2026-11940", + "aliases": [ + "CVE-2026-11940" + ], + "published": "2026-06-23T16:04:17.321Z", + "modified": "2026-06-23T17:57:32.525Z", + "details": "tarfile.extractall() with the 'data' or 'tar'\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u00a0 \nThe extraction fallback validated the symlink at it's archived location \nbut recreated it at the hardlink's shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.\u00a0 \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330.", + "affected": [ + { + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "27dd970bf6b17ebca7c8ed486a40ab043ed7af8f" + }, + { + "fixed": "672825e2f36a57e173959b0d9d409d4560dab8df" + }, + { + "fixed": "771d12dda5140313db0ac550292987975651bbde" + }, + { + "fixed": "79c06bd5c6afa3c440d50faf7ee1b147c8832b4c" + } + ], + "repo": "https://github.com/python/cpython" + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/python/cpython/pull/151559" + }, + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/LD6QIISNQFQYOIEPJNEUIPV7S3V76FZH/" + }, + { + "type": "REPORT", + "url": "https://github.com/python/cpython/issues/151558" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/771d12dda5140313db0ac550292987975651bbde" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c" + } + ], + "database_specific": { + "cwe_ids": [] + } +} \ No newline at end of file diff --git a/advisories/python/PSF-0000-CVE-2026-11972.json b/advisories/python/PSF-0000-CVE-2026-11972.json new file mode 100644 index 0000000..8572f81 --- /dev/null +++ b/advisories/python/PSF-0000-CVE-2026-11972.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.5.0", + "id": "PSF-0000-CVE-2026-11972", + "aliases": [ + "CVE-2026-11972" + ], + "published": "2026-06-23T22:02:45.434Z", + "modified": "2026-06-23T22:02:45.434Z", + "details": "When using the \"tarfile\" module with a file opened in \"streaming mode\" (mode=\"r|\") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop.", + "affected": [ + { + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + } + ], + "repo": "https://github.com/python/cpython" + } + ] + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://github.com/python/cpython/issues/151981" + }, + { + "type": "WEB", + "url": "https://github.com/python/cpython/pull/151982" + }, + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/" + } + ], + "database_specific": { + "cwe_ids": [] + } +} \ No newline at end of file