VYPR

rpm package

opensuse/python-py7zr&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/python-py7zr&distro=openSUSE%20Tumbleweed

Vulnerabilities (5)

  • CVE-2026-55206Jun 19, 2026
    affected < 1.1.3-1.1fixed 1.1.3-1.1

    ### Summary PackInfo._read() uses an O(n^2) cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.__init__() — no extraction is needed. A 5

  • CVE-2026-55195Jun 19, 2026
    affected < 1.1.3-1.1fixed 1.1.3-1.1

    py7zr's `Worker.decompress()` extracts archive entries without tracking total decompressed size. A crafted `.7z` file can exhaust disk or memory before the extraction completes. Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio). **Proof of concept:** ```python import p

  • CVE-2026-23879higJun 19, 2026
    affected < 1.1.3-1.1fixed 1.1.3-1.1

    ### Summary There exists an **arbitrary file write vulnerability** in `py7zr` (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using `extractall` to extract an archive, the library rest

  • CVE-2025-6176HigOct 31, 2025
    affected < 1.1.0-1.1fixed 1.1.0-1.1

    Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less

  • CVE-2022-44900Dec 6, 2022
    affected < 0.20.8-2.6fixed 0.20.8-2.6

    A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.