python-3.12, python-3.13: Apply CVE-2025-4516 patch #54620
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix use-after-free in the unicode-escape decoder with non-strict error handlers. - Add CVE-2025-4516.patch from upstream merged PRs - Python 3.12: PR #134337 - Python 3.13: PR #133944 - Increment epoch to 2 for both packages Note: Python 3.9, 3.10, and 3.11 patches are pending upstream merge. Fixes: CVE-2025-4516
octo-sts
bot
added
the
bincapz/pass
There was a problem hiding this comment.
Pull Request Overview
This PR applies the CVE-2025-4516 patch to both the Python 3.12 and Python 3.13 package definitions to address a use-after-free vulnerability in the unicode-escape decoder with non-strict error handlers.
- Increment epoch from 1 to 2 to signal a packaging update.
- Append the CVE-2025-4516.patch to the list of patches for Python 3.12 and Python 3.13.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| python-3.13.yaml | Updated epoch from 1 to 2 and added the CVE-2025-4516.patch to patches. |
| python-3.12.yaml | Updated epoch from 1 to 2 and added the CVE-2025-4516.patch to patches. |
ajayk
approved these changes
May 29, 2025
dakaneye
added a commit
to dakaneye/advisories
that referenced
this pull request
May 30, 2025
The fixes for CVE-2025-4516 (use-after-free in unicode_escape decoder) were applied to Python 3.12 and 3.13 in wolfi-dev/os#54620 which was merged on 2025-05-29. - Python 3.12: fixed in 3.12.10-r2 - Python 3.13: fixed in 3.13.3-r1 Python 3.10 and 3.11 remain pending upstream fixes. Related to: chainguard-dev/internal-dev#12589
dakaneye
added a commit
to dakaneye/advisories
that referenced
this pull request
May 30, 2025
Address PR feedback: Update fixed version based on epoch bump in wolfi-dev/os#54620
github-merge-queue bot
pushed a commit
to wolfi-dev/advisories
that referenced
this pull request
May 30, 2025
* Mark CVE-2025-4516 as fixed for Python 3.12 and 3.13 The fixes for CVE-2025-4516 (use-after-free in unicode_escape decoder) were applied to Python 3.12 and 3.13 in wolfi-dev/os#54620 which was merged on 2025-05-29. - Python 3.12: fixed in 3.12.10-r2 - Python 3.13: fixed in 3.13.3-r1 Python 3.10 and 3.11 remain pending upstream fixes. Related to: chainguard-dev/internal-dev#12589 * Fix Python 3.13 fixed version to 3.13.3-r2 Address PR feedback: Update fixed version based on epoch bump in wolfi-dev/os#54620
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fix use-after-free vulnerability in the unicode-escape decoder with non-strict error handlers.
Details
bytes.decode("unicode_escape", error="ignore|replace")Changes
Status
Testing
CI will validate that:
References