Security update for python-asteval SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:0052-1 Final 1 1 2025-02-03T19:01:08Z current 2025-02-03T19:01:08Z 2025-02-03T19:01:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-asteval This update for python-asteval fixes the following issues: Update to 1.0.6: * drop testing and support for Python3.8, add Python 3.13, change document to reflect this. * implement safe_getattr and safe_format functions; fix bugs in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405, CVE-2025-24359) * make all procedure attributes private to curb access to AST nodes, which can be exploited * improvements to error messages, including use ast functions to construct better error messages * remove import of numpy.linalg, as documented * update doc description for security advisory Update to 1.0.5: * more work on handling errors, including fixing #133 and adding more comprehensive tests for #129 and #132 Update to 1.0.4: * fix error handling that might result in null exception Update to 1.0.3: * functions ('Procedures') defined within asteval have a ` _signature()` method, now use in repr * add support for deleting subscript * nested symbol tables now have a Group() function * update coverage config * cleanups of exception handling : errors must now have an exception * several related fixes to suppress repeated exceptions: see GH #132 and #129 * make non-boolean return values from comparison operators behave like Python - not immediately testing as bool - update to 1.0.2: * fix NameError handling in expression code * make exception messages more Python-like - update to 1.0.1: * security fixes, based on audit by Andrew Effenhauser, Ayman Hammad, and Daniel Crowley, IBM X-Force Security Research division * remove numpy modules polynomial, fft, linalg by default for security concerns * disallow string.format(), improve security of f-string evaluation - update to 1.0.0: * fix (again) nested list comprehension (Issues #127 and #126). * add more testing of multiple list comprehensions. * more complete support for Numpy 2, and removal of many Numpy symbols that have been long deprecated. * remove AST nodes deprecated in Python 3.8. * clean up build files and outdated tests. * fixes to codecov configuration. * update docs. - update to 0.9.33: * fixes for multiple list comprehensions (addressing #126) * add testing with optionally installed numpy_financial to CI * test existence of all numpy imports to better safeguard against missing functions (for safer numpy 2 transition) * update rendered doc to include PDF and zipped HTML - update to 0.9.32: * add deprecations message for numpy functions to be removed in numpy 2.0 * comparison operations use try/except for short-circuiting instead of checking for numpy arrays (addressing #123) * add Python 3.12 to testing * move repository from 'newville' to 'lmfit' organization * update doc theme, GitHub locations pointed to by docs, other doc tweaks. - Update to 0.9.31: * cleanup numpy imports to avoid deprecated functions, add financial functions from numpy_financial module, if installed. * prefer 'user_symbols' when initializing Interpreter, but still support 'usersyms' argument. Will deprecate and remove eventually. * add support of optional (off-by default) 'nested symbol table'. * update tests to run most tests with symbol tables of dict and nested group type. * general code and testing cleanup. * add config argument to Interpreter to more fully control which nodes are supported * add support for import and importfrom -- off by default * add support for with blocks * add support for f-strings * add support of set and dict comprehension * fix bug with 'int**int' not returning a float. - update to 0.9.29: * bug fixes - Update to 0.9.28 * add support for Python 3.11 * add support for multiple list comprehensions * improve performance of making the initial symbol table, and Interpreter creation, including better checking for index_tricks attributes - update to 0.9.27: * more cleanups - update to 0.9.26: * fix setup.py again - update to 0.9.25: * fixes import errors for Py3.6 and 3.7, setting version with importlib_metadata.version if available. * use setuptools_scm and importlib for version * treat all __dunder__ attributes of all objects as inherently unsafe. - Update to 0.9.22 * another important but small fix for Python 3.9 * Merge branch 'nested_interrupts_returns' - Drop hard numpy requirement, don't test on python36 - update to 0.9.18 * drop python2 * few fixes The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2025-52 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S3ET4NHUOZVYKROXRFLTLBVGPX32M46Q/ E-Mail link for openSUSE-SU-2025:0052-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1236405 SUSE Bug 1236405 https://www.suse.com/security/cve/CVE-2025-24359/ SUSE CVE CVE-2025-24359 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 python311-asteval-1.0.6-bp156.4.3.1 python311-asteval-1.0.6-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 python311-asteval-1.0.6-bp156.4.3.1 as a component of openSUSE Leap 15.6 ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the `on_formattedvalue` value uses the dangerous format method of the str class. The code allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties. Version 1.0.6 fixes this issue. CVE-2025-24359 SUSE Package Hub 15 SP6:python311-asteval-1.0.6-bp156.4.3.1 openSUSE Leap 15.6:python311-asteval-1.0.6-bp156.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S3ET4NHUOZVYKROXRFLTLBVGPX32M46Q/ https://www.suse.com/security/cve/CVE-2025-24359.html CVE-2025-24359 https://bugzilla.suse.com/1236405 SUSE Bug 1236405