csaf_opensuse - opensuse-su-2025:0052-1

OPENSUSE-SU-2025:0052-1

Vulnerability from csaf_opensuse - Published: 2025-02-03 19:01 - Updated: 2025-02-03 19:01

Summary

Security update for python-asteval

Notes

Title of the patch

Security update for python-asteval

Description of the patch

This update for python-asteval fixes the following issues: Update to 1.0.6: * drop testing and support for Python3.8, add Python 3.13, change document to reflect this. * implement safe_getattr and safe_format functions; fix bugs in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405, CVE-2025-24359) * make all procedure attributes private to curb access to AST nodes, which can be exploited * improvements to error messages, including use ast functions to construct better error messages * remove import of numpy.linalg, as documented * update doc description for security advisory Update to 1.0.5: * more work on handling errors, including fixing #133 and adding more comprehensive tests for #129 and #132 Update to 1.0.4: * fix error handling that might result in null exception Update to 1.0.3: * functions ('Procedures') defined within asteval have a ` _signature()` method, now use in repr * add support for deleting subscript * nested symbol tables now have a Group() function * update coverage config * cleanups of exception handling : errors must now have an exception * several related fixes to suppress repeated exceptions: see GH #132 and #129 * make non-boolean return values from comparison operators behave like Python - not immediately testing as bool - update to 1.0.2: * fix NameError handling in expression code * make exception messages more Python-like - update to 1.0.1: * security fixes, based on audit by Andrew Effenhauser, Ayman Hammad, and Daniel Crowley, IBM X-Force Security Research division * remove numpy modules polynomial, fft, linalg by default for security concerns * disallow string.format(), improve security of f-string evaluation - update to 1.0.0: * fix (again) nested list comprehension (Issues #127 and #126). * add more testing of multiple list comprehensions. * more complete support for Numpy 2, and removal of many Numpy symbols that have been long deprecated. * remove AST nodes deprecated in Python 3.8. * clean up build files and outdated tests. * fixes to codecov configuration. * update docs. - update to 0.9.33: * fixes for multiple list comprehensions (addressing #126) * add testing with optionally installed numpy_financial to CI * test existence of all numpy imports to better safeguard against missing functions (for safer numpy 2 transition) * update rendered doc to include PDF and zipped HTML - update to 0.9.32: * add deprecations message for numpy functions to be removed in numpy 2.0 * comparison operations use try/except for short-circuiting instead of checking for numpy arrays (addressing #123) * add Python 3.12 to testing * move repository from 'newville' to 'lmfit' organization * update doc theme, GitHub locations pointed to by docs, other doc tweaks. - Update to 0.9.31: * cleanup numpy imports to avoid deprecated functions, add financial functions from numpy_financial module, if installed. * prefer 'user_symbols' when initializing Interpreter, but still support 'usersyms' argument. Will deprecate and remove eventually. * add support of optional (off-by default) 'nested symbol table'. * update tests to run most tests with symbol tables of dict and nested group type. * general code and testing cleanup. * add config argument to Interpreter to more fully control which nodes are supported * add support for import and importfrom -- off by default * add support for with blocks * add support for f-strings * add support of set and dict comprehension * fix bug with 'int**int' not returning a float. - update to 0.9.29: * bug fixes - Update to 0.9.28 * add support for Python 3.11 * add support for multiple list comprehensions * improve performance of making the initial symbol table, and Interpreter creation, including better checking for index_tricks attributes - update to 0.9.27: * more cleanups - update to 0.9.26: * fix setup.py again - update to 0.9.25: * fixes import errors for Py3.6 and 3.7, setting version with importlib_metadata.version if available. * use setuptools_scm and importlib for version * treat all __dunder__ attributes of all objects as inherently unsafe. - Update to 0.9.22 * another important but small fix for Python 3.9 * Merge branch 'nested_interrupts_returns' - Drop hard numpy requirement, don't test on python36 - update to 0.9.18 * drop python2 * few fixes

Patchnames

openSUSE-2025-52

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-asteval",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-asteval fixes the following issues:\n\nUpdate to 1.0.6:\n\n  * drop testing and support for Python3.8, add Python 3.13,\n    change document to reflect this.\n  * implement safe_getattr and safe_format functions; fix bugs\n    in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405,\n    CVE-2025-24359)\n  * make all procedure attributes private to curb access to AST\n    nodes, which can be exploited\n  * improvements to error messages, including use ast functions\n    to construct better error messages\n  * remove import of numpy.linalg, as documented\n  * update doc description for security advisory\n\nUpdate to 1.0.5:\n\n  * more work on handling errors, including fixing #133 and\n    adding more comprehensive tests for #129 and #132\n\nUpdate to 1.0.4:\n\n  * fix error handling that might result in null exception\n\nUpdate to 1.0.3:\n\n  * functions (\u0027Procedures\u0027) defined within asteval have a `\n    _signature()` method, now use in repr\n  * add support for deleting subscript\n  * nested symbol tables now have a  Group() function\n  * update coverage config\n  * cleanups of exception handling :  errors must now have an\n    exception\n  * several related fixes to suppress repeated exceptions: see GH\n    #132 and #129\n  * make non-boolean return values from comparison operators\n    behave like Python - not immediately testing as bool\n\n- update to 1.0.2:\n  * fix NameError handling in expression code\n  * make exception messages more Python-like\n- update to 1.0.1:\n  * security fixes, based on audit by Andrew Effenhauser, Ayman\n    Hammad, and Daniel Crowley, IBM X-Force Security Research\n    division\n  * remove numpy modules polynomial, fft, linalg by default for\n    security concerns\n  * disallow string.format(), improve security of f-string\n    evaluation\n\n- update to 1.0.0:\n  * fix (again) nested list comprehension (Issues #127 and #126).\n  * add more testing of multiple list comprehensions.\n  * more complete support for Numpy 2, and removal of many Numpy\n    symbols that have been long deprecated.\n  * remove AST nodes deprecated in Python 3.8.\n  * clean up build files and outdated tests.\n  * fixes to codecov configuration.\n  * update docs.\n\n- update to 0.9.33:\n  * fixes for multiple list comprehensions (addressing #126)\n  * add testing with optionally installed numpy_financial to CI\n  * test existence of all numpy imports to better safeguard\n    against missing functions (for safer numpy 2 transition)\n  * update rendered doc to include PDF and zipped HTML\n\n- update to 0.9.32:\n  * add deprecations message for numpy functions to be removed in\n    numpy 2.0\n  * comparison operations use try/except for short-circuiting\n    instead of checking for numpy arrays (addressing #123)\n  * add Python 3.12 to testing\n  * move repository from \u0027newville\u0027 to \u0027lmfit\u0027 organization\n  * update doc theme, GitHub locations pointed to by docs, other\n    doc tweaks.\n\n- Update to 0.9.31:\n  * cleanup numpy imports to avoid deprecated functions, add financial\n  functions from numpy_financial module, if installed.\n  * prefer \u0027user_symbols\u0027 when initializing Interpreter, but still support\n  \u0027usersyms\u0027 argument. Will deprecate and remove eventually.\n  * add support of optional (off-by default) \u0027nested symbol table\u0027.\n  * update tests to run most tests with symbol tables of dict and nested\n  group type.\n  * general code and testing cleanup.\n  * add config argument to Interpreter to more fully control which nodes are supported\n  * add support for import and importfrom -- off by default\n  * add support for with blocks\n  * add support for f-strings\n  * add support of set and dict comprehension\n  * fix bug with \u0027int**int\u0027 not returning a float.\n\n- update to 0.9.29:\n  * bug fixes\n\n- Update to 0.9.28\n  * add support for Python 3.11\n  * add support for multiple list comprehensions\n  * improve performance of making the initial symbol table,\n    and Interpreter creation, including better checking for index_tricks attributes\n\n- update to 0.9.27:\n  * more cleanups\n\n- update to 0.9.26:\n  * fix setup.py again\n\n- update to 0.9.25:\n  * fixes import errors for Py3.6 and 3.7, setting version with\n    importlib_metadata.version if available.\n  * use setuptools_scm and importlib for version\n  * treat all __dunder__ attributes of all objects as inherently unsafe.\n\n- Update to 0.9.22\n  * another important but small fix for Python 3.9\n  * Merge branch \u0027nested_interrupts_returns\u0027\n- Drop hard numpy requirement, don\u0027t test on python36\n\n- update to 0.9.18\n  * drop python2\n  * few fixes\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2025-52",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0052-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:0052-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S3ET4NHUOZVYKROXRFLTLBVGPX32M46Q/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:0052-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S3ET4NHUOZVYKROXRFLTLBVGPX32M46Q/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1236405",
        "url": "https://bugzilla.suse.com/1236405"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-24359 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-24359/"
      }
    ],
    "title": "Security update for python-asteval",
    "tracking": {
      "current_release_date": "2025-02-03T19:01:08Z",
      "generator": {
        "date": "2025-02-03T19:01:08Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:0052-1",
      "initial_release_date": "2025-02-03T19:01:08Z",
      "revision_history": [
        {
          "date": "2025-02-03T19:01:08Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-asteval-1.0.6-bp156.4.3.1.noarch",
                "product": {
                  "name": "python311-asteval-1.0.6-bp156.4.3.1.noarch",
                  "product_id": "python311-asteval-1.0.6-bp156.4.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP6",
                "product": {
                  "name": "SUSE Package Hub 15 SP6",
                  "product_id": "SUSE Package Hub 15 SP6"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-asteval-1.0.6-bp156.4.3.1.noarch as component of SUSE Package Hub 15 SP6",
          "product_id": "SUSE Package Hub 15 SP6:python311-asteval-1.0.6-bp156.4.3.1.noarch"
        },
        "product_reference": "python311-asteval-1.0.6-bp156.4.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-asteval-1.0.6-bp156.4.3.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:python311-asteval-1.0.6-bp156.4.3.1.noarch"
        },
        "product_reference": "python311-asteval-1.0.6-bp156.4.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-24359",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-24359"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP6:python311-asteval-1.0.6-bp156.4.3.1.noarch",
          "openSUSE Leap 15.6:python311-asteval-1.0.6-bp156.4.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-24359",
          "url": "https://www.suse.com/security/cve/CVE-2025-24359"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1236405 for CVE-2025-24359",
          "url": "https://bugzilla.suse.com/1236405"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP6:python311-asteval-1.0.6-bp156.4.3.1.noarch",
            "openSUSE Leap 15.6:python311-asteval-1.0.6-bp156.4.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T19:01:08Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-24359"
    }
  ]
}

CVE-2025-24359 (GCVE-0-2025-24359)

Vulnerability from cvelistv5 – Published: 2025-01-24 16:52 – Updated: 2025-02-12 20:01

Title

ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape

Summary

ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue.

Severity ?

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-134 - Use of Externally-Controlled Format String
CWE-749 - Exposed Dangerous Method or Function

Assigner

GitHub_M

References

URL

Tags

	https://github.com/lmfit/asteval/security/advisor…	x_refsource_CONFIRM
	https://github.com/lmfit/asteval/blob/cfb57f0beeb…	x_refsource_MISC
	https://lucumr.pocoo.org/2016/12/29/careful-with-…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	lmfit	asteval	Affected: < 1.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24359",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T17:28:13.184358Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:01:18.799Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "asteval",
          "vendor": "lmfit",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-134",
              "description": "CWE-134: Use of Externally-Controlled Format String",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749: Exposed Dangerous Method or Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-25T00:54:58.877Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"
        },
        {
          "name": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"
        },
        {
          "name": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"
        }
      ],
      "source": {
        "advisory": "GHSA-3wwr-3g9f-9gc7",
        "discovery": "UNKNOWN"
      },
      "title": "ASTEVAL Vulnerable to Maliciously Crafted Format Strings Leading to Sandbox Escape"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24359",
    "datePublished": "2025-01-24T16:52:44.304Z",
    "dateReserved": "2025-01-20T15:18:26.989Z",
    "dateUpdated": "2025-02-12T20:01:18.799Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2025:0052-1

CVE-2025-24359 (GCVE-0-2025-24359)

Tags

Sightings

Nomenclature