1 Commits

Author SHA256 Message Date
nkrapp 1dfd6bf041 - Update to 1.1.3 (fixes CVE-2026-23879 (bsc#1268669),
CVE-2026-55195 (bsc#1268665), CVE-2026-55206 (bsc#1268666))
  * CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
    - Harden check of path traversal and enhance test cases to reproduce many
      attack scenarios.
  * CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in
    py7zr
    - Enforced variation of the parameter with a limit and optimized
      calculation algorithm to prevent excessive CPU consumption.
  * CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of
    service via unchecked extraction size 
    - Added check of extraction size and introduced max_extract_size as
      constructor parameter to guard against excessive decompression.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-py7zr?expand=0&rev=24
2026-06-23 07:27:22 +00:00