CVE-2022-40898

Advisory

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Affected package

Affected versions

Fixed versions

Vulnerability changelog

- Dropped support for Python < 3.7
- Updated vendored ``packaging`` to 21.3
- Replaced all uses of ``distutils`` with ``setuptools``
- The handling of ``license_files`` (including glob patterns and default
values) is now delegated to ``setuptools>=57.0.0`` (466).
The package dependencies were updated to reflect this change.
- Fixed potential DoS attack via the ``WHEEL_INFO_RE`` regular expression
- Fixed ``ValueError: ZIP does not support timestamps before 1980`` when using
``SOURCE_DATE_EPOCH=0`` or when on-disk timestamps are earlier than 1980-01-01. Such
timestamps are now changed to the minimum value before packaging.

Resources

• https://pypi.org/project/wheel
• https://pyup.io/changelogs/wheel/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40898
• https://pypi.org/project/wheel/
• https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18
• https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/