From 6ff51ddd785a1926629351b3464809a4077b5e93 Mon Sep 17 00:00:00 2001 From: sethmlarson <18519037+sethmlarson@users.noreply.github.com> Date: Wed, 1 Jul 2026 00:43:29 +0000 Subject: [PATCH] Update OSV records from CVE --- advisories/python/PSF-0000-CVE-2026-4360.json | 70 +++++++++++++++++++ advisories/python/PSF-2026-11.json | 22 ++++-- advisories/python/PSF-2026-15.json | 16 ++++- advisories/python/PSF-2026-24.json | 16 ++++- advisories/python/PSF-2026-30.json | 17 +++-- advisories/python/PSF-2026-31.json | 44 +++++++++++- 6 files changed, 173 insertions(+), 12 deletions(-) create mode 100644 advisories/python/PSF-0000-CVE-2026-4360.json diff --git a/advisories/python/PSF-0000-CVE-2026-4360.json b/advisories/python/PSF-0000-CVE-2026-4360.json new file mode 100644 index 0000000..6821142 --- /dev/null +++ b/advisories/python/PSF-0000-CVE-2026-4360.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.5.0", + "id": "PSF-0000-CVE-2026-4360", + "aliases": [ + "CVE-2026-4360" + ], + "published": "2026-06-30T14:45:35.601Z", + "modified": "2026-06-30T15:28:30.201Z", + "details": "In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.", + "affected": [ + { + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5e0ef3f1afe892e4f64eb83368db57ac4c40cba0" + }, + { + "fixed": "7b57e8d51446297b8c7c482d224bc5f1938e4301" + }, + { + "fixed": "7ccdbaba2c54250a70d7f25632152df7655a5e0a" + }, + { + "fixed": "eee3ddf0ca10283cc7fea724aae9cd8665f8d15e" + } + ], + "repo": "https://github.com/python/cpython" + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/TWZW2PC2AZOV6FENIHFSRC63OM7MBGSB/" + }, + { + "type": "WEB", + "url": "https://github.com/python/cpython/pull/151988" + }, + { + "type": "REPORT", + "url": "https://github.com/python/cpython/issues/151987" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/5e0ef3f1afe892e4f64eb83368db57ac4c40cba0" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/7b57e8d51446297b8c7c482d224bc5f1938e4301" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/7ccdbaba2c54250a70d7f25632152df7655a5e0a" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/eee3ddf0ca10283cc7fea724aae9cd8665f8d15e" + } + ], + "database_specific": { + "cwe_ids": [] + } +} \ No newline at end of file diff --git a/advisories/python/PSF-2026-11.json b/advisories/python/PSF-2026-11.json index 590901e..2cbfe39 100644 --- a/advisories/python/PSF-2026-11.json +++ b/advisories/python/PSF-2026-11.json @@ -2,7 +2,7 @@ "schema_version": "1.5.0", "id": "PSF-2026-11", "published": "2026-03-16T17:37:31.344Z", - "modified": "2026-03-16T18:25:55.021Z", + "modified": "2026-06-30T15:11:21.792Z", "aliases": [ "CVE-2026-3644" ], @@ -12,7 +12,6 @@ "ranges": [ { "type": "GIT", - "repo": "https://github.com/python/cpython", "events": [ { "introduced": "0" @@ -25,8 +24,15 @@ }, { "fixed": "d16ecc6c3626f0e2cc8f08c309c83934e8a979dd" + }, + { + "fixed": "556aa098e738b127c714866f819b4abe2f7593d8" + }, + { + "fixed": "dae4b1a21f8df4570e30986affd61bbe4ade4cef" } - ] + ], + "repo": "https://github.com/python/cpython" } ] } @@ -55,9 +61,17 @@ { "type": "FIX", "url": "https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/556aa098e738b127c714866f819b4abe2f7593d8" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/dae4b1a21f8df4570e30986affd61bbe4ade4cef" } ], "database_specific": { "cwe_ids": [] } -} +} \ No newline at end of file diff --git a/advisories/python/PSF-2026-15.json b/advisories/python/PSF-2026-15.json index 0741fb0..3239273 100644 --- a/advisories/python/PSF-2026-15.json +++ b/advisories/python/PSF-2026-15.json @@ -2,7 +2,7 @@ "schema_version": "1.5.0", "id": "PSF-2026-15", "published": "2026-04-10T17:54:44.121Z", - "modified": "2026-06-04T14:08:00.911Z", + "modified": "2026-06-30T15:12:43.900Z", "aliases": [ "CVE-2026-1502" ], @@ -27,6 +27,12 @@ }, { "fixed": "c00c386faa579ad71196d33408644478488e43ec" + }, + { + "fixed": "56b7100b04e44ea27989242b176beb8f016b2c53" + }, + { + "fixed": "58703ec1bdd1eb075e8b01a0c427683ce594dd3e" } ], "repo": "https://github.com/python/cpython" @@ -62,6 +68,14 @@ { "type": "FIX", "url": "https://github.com/python/cpython/commit/c00c386faa579ad71196d33408644478488e43ec" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/56b7100b04e44ea27989242b176beb8f016b2c53" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/58703ec1bdd1eb075e8b01a0c427683ce594dd3e" } ], "database_specific": { diff --git a/advisories/python/PSF-2026-24.json b/advisories/python/PSF-2026-24.json index 8fa5b03..9b5341c 100644 --- a/advisories/python/PSF-2026-24.json +++ b/advisories/python/PSF-2026-24.json @@ -2,7 +2,7 @@ "schema_version": "1.5.0", "id": "PSF-2026-24", "published": "2026-05-13T20:14:33.751Z", - "modified": "2026-06-10T18:57:31.773Z", + "modified": "2026-06-30T15:09:29.230Z", "aliases": [ "CVE-2026-8328" ], @@ -30,6 +30,12 @@ }, { "fixed": "eac4fe3b2c77693790a5ef7dfab127c1fee81bf9" + }, + { + "fixed": "2bbcf3fb7a420a05605576c0f9468d4675381b5f" + }, + { + "fixed": "ef12d0dc824baccf737bba1458e5eed3d1e0fceb" } ], "repo": "https://github.com/python/cpython" @@ -69,6 +75,14 @@ { "type": "FIX", "url": "https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/2bbcf3fb7a420a05605576c0f9468d4675381b5f" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/ef12d0dc824baccf737bba1458e5eed3d1e0fceb" } ], "database_specific": { diff --git a/advisories/python/PSF-2026-30.json b/advisories/python/PSF-2026-30.json index 901f139..f096ac6 100644 --- a/advisories/python/PSF-2026-30.json +++ b/advisories/python/PSF-2026-30.json @@ -2,17 +2,16 @@ "schema_version": "1.5.0", "id": "PSF-2026-30", "published": "2026-06-23T16:04:17.321Z", - "modified": "2026-06-23T17:57:32.525Z", + "modified": "2026-06-30T15:13:33.568Z", "aliases": [ "CVE-2026-11940" ], - "details": "tarfile.extractall() with the 'data' or 'tar'\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.  \nThe extraction fallback validated the symlink at it's archived location \nbut recreated it at the hardlink's shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.  \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330.", + "details": "tarfile.extractall() with the 'data' or 'tar'\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.\u00a0 \nThe extraction fallback validated the symlink at it's archived location \nbut recreated it at the hardlink's shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.\u00a0 \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330.", "affected": [ { "ranges": [ { "type": "GIT", - "repo": "https://github.com/python/cpython", "events": [ { "introduced": "0" @@ -28,8 +27,12 @@ }, { "fixed": "79c06bd5c6afa3c440d50faf7ee1b147c8832b4c" + }, + { + "fixed": "be13e86f6b9788a6f4d0419dffef72cbae5865c9" } - ] + ], + "repo": "https://github.com/python/cpython" } ] } @@ -62,9 +65,13 @@ { "type": "FIX", "url": "https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/be13e86f6b9788a6f4d0419dffef72cbae5865c9" } ], "database_specific": { "cwe_ids": [] } -} +} \ No newline at end of file diff --git a/advisories/python/PSF-2026-31.json b/advisories/python/PSF-2026-31.json index 400c063..f46228e 100644 --- a/advisories/python/PSF-2026-31.json +++ b/advisories/python/PSF-2026-31.json @@ -2,7 +2,7 @@ "schema_version": "1.5.0", "id": "PSF-2026-31", "published": "2026-06-23T22:02:45.434Z", - "modified": "2026-06-24T15:34:06.959Z", + "modified": "2026-06-30T15:13:21.383Z", "aliases": [ "CVE-2026-11972" ], @@ -15,6 +15,24 @@ "events": [ { "introduced": "0" + }, + { + "fixed": "3f031d431f80668e14f3bc066bbf4369cd9281b9" + }, + { + "fixed": "4ce6bf7c8aa7725828a38981c306f214c1f29365" + }, + { + "fixed": "7f0dc59c9a70f8f3b4da33d7c4a2ba552a7acc21" + }, + { + "fixed": "e86666c9dd256d52d0fbef6feb1ea4a51768fdec" + }, + { + "fixed": "eb63c0f94dfcbea7fda8eab6213818e134d67192" + }, + { + "fixed": "f50bf13566189c8d0ce5a814f33eff3d89951896" } ], "repo": "https://github.com/python/cpython" @@ -34,6 +52,30 @@ { "type": "ADVISORY", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/3f031d431f80668e14f3bc066bbf4369cd9281b9" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/4ce6bf7c8aa7725828a38981c306f214c1f29365" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/7f0dc59c9a70f8f3b4da33d7c4a2ba552a7acc21" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/e86666c9dd256d52d0fbef6feb1ea4a51768fdec" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/eb63c0f94dfcbea7fda8eab6213818e134d67192" + }, + { + "type": "FIX", + "url": "https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896" } ], "database_specific": {