Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spyder 6.0.x uses a vulnerable Python implementation #23396

Open
2 of 10 tasks
bedwinc opened this issue Jan 2, 2025 · 2 comments
Open
2 of 10 tasks

Spyder 6.0.x uses a vulnerable Python implementation #23396

bedwinc opened this issue Jan 2, 2025 · 2 comments
Assignees
@mrclary
Labels
Installers type:Bug
Milestone
v6.1.0

Comments

@bedwinc
Copy link

bedwinc commented Jan 2, 2025
edited
Loading

Issue Report Checklist

  • Searched the issues page for similar reports
  • Read the relevant sections of the Spyder Troubleshooting Guide and followed its advice
  • Reproduced the issue after updating with conda update spyder (or pip, if not using Anaconda)
  • Could not reproduce inside jupyter qtconsole (if console-related)
  • Tried basic troubleshooting (if a bug/error)
    • Restarted Spyder
    • Reset preferences with spyder --reset
    • Reinstalled the latest version of Anaconda
    • Tried the other applicable steps from the Troubleshooting Guide
  • Completed the Problem Description, Steps to Reproduce and Version sections below

Problem Description

Spyder v6.0.3 is using a vulnerable version of Python according to Qualys. https://nvd.nist.gov/vuln/detail/CVE-2023-27043

Vulnerability Result
Location: C:\ProgramData\spyder-6\include\patchlevel.h
Version: 3.11.9
HKLM\SOFTWARE\Python\PythonCore\3.11\INSTALLPATH Key found

The e-mail module of Python 0 - 2.7.18, 3.x - 3.12.x incorrectly parses e-mail addresses which contain a special character. This vulnerability allows attackers to send messages from e-mail addresses that would otherwise be rejected.

Affected versions
Python version 0 to 3.8.19
Python version 3.9.0 to 3.9.19
Python version 3.10.0 to 3.10.14
Python version 3.11.0 to 3.11.9
Python version 3.12.0 to 3.12.5

What steps reproduce the problem?

  1. Update Spyder to v 6.0.3

What is the expected output? What do you see instead?

N/A

Paste Traceback/Error Below (if applicable)

PASTE TRACEBACK HERE

Versions

  • Spyder version:
  • Python version:
  • Qt version:
  • PyQt version:
  • Operating System name/version:

Dependencies

PASTE DEPENDENCIES HERE
@ccordoba12
Copy link
Member

Hey @bedwinc, thanks for reporting. We'll address this in our 6.1 version, to be released in a few months.

Since Spyder is not used for general development but mostly for scientific programming, we're not too worried about a vulnerability in the email module of the standard library,

@ccordoba12 ccordoba12 changed the title Spyder 6.0.3 Vulnerable Python Implementation CVE-2023-27043 Spyder 6.0.x uses a vulnerable Python implementation Jan 3, 2025
@ccordoba12 ccordoba12 added this to the v6.1.0 milestone Jan 3, 2025
@bedwinc
Copy link
Author

bedwinc commented Jan 3, 2025 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrclary mrclary

Labels
Installers type:Bug
Projects
None yet
Milestone
v6.1.0
Development

No branches or pull requests
3 participants
@ccordoba12 @mrclary @bedwinc