1dfd6bf041
CVE-2026-55195 (bsc#1268665), CVE-2026-55206 (bsc#1268666))
* CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
- Harden check of path traversal and enhance test cases to reproduce many
attack scenarios.
* CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in
py7zr
- Enforced variation of the parameter with a limit and optimized
calculation algorithm to prevent excessive CPU consumption.
* CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of
service via unchecked extraction size
- Added check of extraction size and introduced max_extract_size as
constructor parameter to guard against excessive decompression.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-py7zr?expand=0&rev=24
169 lines
6.6 KiB
Plaintext
169 lines
6.6 KiB
Plaintext
-------------------------------------------------------------------
|
|
Mon Jun 22 10:04:43 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
|
|
|
|
- Update to 1.1.3 (fixes CVE-2026-23879 (bsc#1268669),
|
|
CVE-2026-55195 (bsc#1268665), CVE-2026-55206 (bsc#1268666))
|
|
* CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
|
|
- Harden check of path traversal and enhance test cases to reproduce many
|
|
attack scenarios.
|
|
* CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in
|
|
py7zr
|
|
- Enforced variation of the parameter with a limit and optimized
|
|
calculation algorithm to prevent excessive CPU consumption.
|
|
* CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of
|
|
service via unchecked extraction size
|
|
- Added check of extraction size and introduced max_extract_size as
|
|
constructor parameter to guard against excessive decompression.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 19 03:22:22 UTC 2026 - Steve Kowalik <steven.kowalik@suse.com>
|
|
|
|
- Update to 1.1.0:
|
|
## Security
|
|
* CVE-2025-6176: bump brotli@1.2.0
|
|
## What's Changed
|
|
* fix(is_7zfile): accept any path-like instead of just pathlib.Path
|
|
* Accept IO[bytes] instead of BinaryIO
|
|
* feat(cli): add support for extracting specific archive members
|
|
* fix: SevenZipFile.getinfo() now returns FileInfo as originally intended
|
|
* feat: make FileInfo and ArchiveInfo dataclasses
|
|
* feat: add is_file and is_symlink to FileInfo
|
|
* Use zstandard implementation from stdlib (PEP-784)
|
|
* chore: bump minimum Python version to 3.10 and update development deps
|
|
* chore: tox configuration in pyproject.toml native
|
|
* Use 3.10 type hint syntax
|
|
- Switch to GitHub tarball for the testsuite.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 20 09:43:34 UTC 2025 - ecsos <ecsos@opensuse.org>
|
|
|
|
- Update to 1.0.0
|
|
* Changed
|
|
- CI: check on Linux on ARM64 with GitHub hosted ARM64 runner.
|
|
- Improve issue report template
|
|
- Remove Travis-CI button from Documentation
|
|
- Changes from 0.22.0
|
|
* Added
|
|
- Add mode "x" for SevenZipFile (#588)
|
|
- Add SevenZipFile#namelist method (#600)
|
|
* Fixed
|
|
- Append mode on non-existent files (#604)
|
|
- Fix NUMBER encoding of integer when 8 bytes(#591)
|
|
* Changed
|
|
- Minimum required Python version to be Python 3.8 (#601)
|
|
- Remove pyannotate from pyproject.toml (#598)
|
|
* Document
|
|
- Update user guide (#596)
|
|
- Changes from 0.21.1
|
|
* Fixed
|
|
- Follow shutil.register_unpack_format() convention of raising a ReadError when the library cannot handle a file (#583)
|
|
- ensure unpack_7zarchive closes the archive (#584)
|
|
- 64bit OS detection (#580)
|
|
* Added
|
|
- Add recursive sub-directories and files extraction (#585)
|
|
* Changed
|
|
- check targets argument type for read and extract method (#577)
|
|
- Treat zero byte stream as a file (#551)
|
|
- Changes from 0.21.0
|
|
* Changed
|
|
- Speed up extraction when number of files is very large (#555)
|
|
- Replace deprecated functions on python 3.12 (#550)
|
|
* Added
|
|
- Add report_update() for logging large files extraction (#558)
|
|
* Document
|
|
- Add subsection of multi-volume creation (#568)
|
|
- Drop py7zr-remove-pyannotate.patch because no more needed.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 16 15:40:08 UTC 2024 - Ben Greiner <code@bnavigator.de>
|
|
|
|
- Remove bogus unmaintained pyannotate test dependency
|
|
* Add py7zr-remove-pyannotate.patch gh#miurahr/py7zr#552
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 27 13:59:12 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
|
|
|
- update to 0.20.8:
|
|
* Detect brotli import error (#543)
|
|
* refactor: hardening SevenZipFile constructor (#547)
|
|
* refactor: improve type safe functions (#545)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 15 06:16:51 UTC 2023 - ecsos <ecsos@opensuse.org>
|
|
|
|
- update to 0.20.7:
|
|
* Support Python 3.12
|
|
- update to 0.20.6
|
|
* fix: sanitize path when write (#525)
|
|
* fix: allow specify target path in relative path (#530)
|
|
* Avoid AttributeError on OpenBSD (#521)
|
|
* Error appending file: KeyError: 'lastwritetime' (#517)
|
|
* Fixing a string quote in user_guide document(#524)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 21 11:10:29 UTC 2023 - ecsos <ecsos@opensuse.org>
|
|
|
|
- Add %{?sle15_python_module_pythons}
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 4 19:19:16 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
|
|
|
- update to 0.20.5:
|
|
* Remove root reference from file names (#513)
|
|
* fix typo in the readme (#510)
|
|
* Drop manual GC to improve performance when many files are
|
|
handled. (#489, #490)
|
|
* Fix mypy error
|
|
* Skip deflate64 compression/decompression test on pypy
|
|
* There is an issue in dependency inflate64 library that causes
|
|
SIGABORT and SIGSEGV on pypy
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 21 10:02:30 UTC 2022 - Ben Greiner <code@bnavigator.de>
|
|
|
|
- Update to 0.20.2
|
|
* Fix error with good path data, when detecting wrong path with
|
|
new canonical_path(), and drop resolve() call on path.
|
|
- Release 0.20.1
|
|
## Security
|
|
* Fix sanity check for path traversal attack(#480)
|
|
* Add path checker in writef() and writestr() methods that
|
|
ignores evil pass.
|
|
- When pass arcname as evil path such as
|
|
"../../../../tmp/evil.sh"
|
|
- it raises ValueError
|
|
* Check symlink and junction is under target folder when
|
|
extraction
|
|
- Release 0.20.0
|
|
* Support enhanced deflate compression.(#472)
|
|
* Bump setuptools@63 and setuptools_scm@7 (#473)
|
|
* Deprecate Python 3.6 support (#473)
|
|
- Fixes boo#1206141 CVE-2022-44900
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 15 07:54:24 UTC 2022 - Ben Greiner <code@bnavigator.de>
|
|
|
|
- Update to version 0.19.0
|
|
* big changelog
|
|
- Move tests to multibuild
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 14 18:23:24 UTC 2022 - Ben Greiner <code@bnavigator.de>
|
|
|
|
- Remove ancient python-pathlib from the build requirements but
|
|
leave the version as is. An update to the latest version 0.19.0
|
|
would require to package many more dependencies.
|
|
- Clean up the spec-file a little bit
|
|
- Use pytest. No pure python package should ever be untested.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 3 12:20:11 UTC 2021 - Ismail Dönmez <idonmez@suse.com>
|
|
|
|
- Fix sed line to use python3 and add a replacement for /usr/bin/python
|
|
as well.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 22 11:45:55 UTC 2021 - ecsos <ecsos@opensuse.org>
|
|
|
|
- Initial version 0.11.3
|