Bugzilla – Bug 1221661
VUL-0: CVE-2023-41334: python-astropy: command injection in TranformGraph().to_dot_graph()
Last modified: 2024-03-19 11:04:42 UTC
Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41334 https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5 https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf https://www.cve.org/CVERecord?id=CVE-2023-41334 https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539 https://bugzilla.redhat.com/show_bug.cgi?id=2270185
The version on Tumbleweed and the development project is 6.0.0 which is not vulnerable. There are several possible ways to fix this: 1. Update astropy in 15.6 to 6.0.0, but it will need an updated wcslib as well. 2. Update astropy in 15.6 to 5.3.4. But that must be done by a SUSE maintainer. I am only serving as Astropy maintainer in Tumbleweed. Also, I doubt anybody in the astronomy community uses an old Astropy on an old Python 3.6 SLE15/Leap15 machine. 3. Remove the outdated vulnerable astropy version python 3.6
Correction: I cannot find astropy in 15.5 or 15.6 at all. It has been removed after 15.4. So this is a non-issue.