GHSA-vxcf-c7mx-pg53 – pyo3

Package

Manager: cargo
Name: pyo3
Vulnerable Version: >=0.23.0 <0.23.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Build corruption when using `PYO3_CONFIG_FILE` environment variable In PyO3 0.23.0 the `PYO3_CONFIG_FILE` environment variable used to configure builds regressed such that changing the environment variable would no longer trigger PyO3 to reconfigure and recompile. In combination with workflows using tools such as `maturin` to build for multiple versions in a single build, this leads to Python wheels being compiled against the wrong Python API version. All users who distribute artefacts for multiple Python versions are encouraged to update and rebuild with PyO3 0.23.3. Affected wheels produced from PyO3 0.23.0 through 0.23.2 are highly unstable and will crash the Python interpreter in unpredictable ways.

Metadata

Created: 2024-12-05T19:06:20Z
Modified: 2024-12-05T19:06:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-vxcf-c7mx-pg53/GHSA-vxcf-c7mx-pg53.json
CWE IDs: []
Alternative ID: N/A
Finding: F086
Auto approve: 1