Bugzilla – Bug 1221530
VUL-0: CVE-2024-21503: python-black: catastrophic performance on docstrings that contain large numbers of leading tab characters
Last modified: 2024-07-15 12:36:09 UTC
Security update Black 24.3.0: Highlights This release is a milestone: it fixes Black's first CVE security vulnerability. If you run Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings, you are strongly encouraged to upgrade immediately to fix CVE-2024-21503. Stable style * Don't move comments along with delimiters, which could cause crashes (#4248) * Strengthen AST safety check to catch more unsafe changes to strings. Previous versions of Black would incorrectly format the contents of certain unusual f-strings containing nested strings with the same quote type. Now, Black will crash on such strings until support for the new f-string syntax is implemented. (#4270) * Fix a bug where line-ranges exceeding the last code line would not work as expected (#4273) Performance * Fix catastrophic performance on docstrings that contain large numbers of leading tab characters. This fixes CVE-2024-21503. (#4278) Documentation * Note what happens when --check is used with --quiet (#4236) References: https://github.com/psf/black/releases/tag/24.3.0 https://black.readthedocs.io/en/stable/change_log.html#id1
submitted SLE15-SP4 also via version update (should be fully backward compatible)
SUSE-SU-2024:2481-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1221530 CVE References: CVE-2024-21503 Maintenance Incident: [SUSE:Maintenance:34752](https://smelt.suse.de/incident/34752/) Sources used: openSUSE Leap 15.4 (src): python-black-24.3.0-150400.9.8.1 openSUSE Leap 15.6 (src): python-black-24.3.0-150400.9.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.