pyelftools
Version: 0.33Parsing ELF and DWARF in Python
What is "pyelftools"?
Parsing ELF and DWARF in Python
How to use this package
Quick install
Installs the package into the current environment for this session. Use --build or --runtime to persist it as a build-time or runtime dependency.
min add pyelftoolsDeclare as a task dependency in minimal.toml
Listing the package under tasks.<name>.packages makes it available inside that task’s sandbox.
[tasks.dev]
packages = ["pyelftools"]Build-time vs runtime
Choose build-time for tools needed during compilation, runtime for dynamic libraries loaded at runtime.
min add --build pyelftools
min add --runtime pyelftoolsDependencies (3)
| Name | Version | Kind |
|---|---|---|
| base | — | build |
| python CVE:6 | 3.14.5 | runtime |
| setuptools | 82.0.1 | runtime |
Dependency changes
Loading diff…
Could not load the dependency diff for one of the selected versions. Try again.
No dependency changes
The two selected versions have identical direct dependencies.
| Name | Version | Kind |
|---|
Dependants (1)
| Name | Version |
|---|---|
| libkrunfw | 5.5.0 |
No direct advisories
This package inherits 7 transitive advisories from its dependencies.
Showing 7 transitive advisories via pyelftools's dependencies
No advisories match the current filters.
| Status | IDs | Package | Severity | |||
|---|---|---|---|---|---|---|
| Critical ( 0 ) | ||||||
| High ( 4 ) | ||||||
| Under investigation | python | High | ||||
Summarybz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Under investigation | python | High: 7.5 | ||||
Summary`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. ViaAffected ranges3.13.7 – 3.14.5 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | ||||||
| Under investigation | python | High: 7.5 | ||||
SummaryIf `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability. ViaAffected ranges3.13.7 – 3.14.5 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | ||||||
| Resolved in 0df65d82dbc41e8da00adb243de5918db532c8a6 | openssl | High | ||||
SummaryHeap-buffer-overflow in asn1_ex_i2c Affected ranges0df65d82dbc41e8da00adb243de5918db532c8a6, fixed in 0df65d82dbc41e8da00adb243de5918db532c8a6 Fixed in0df65d82dbc41e8da00adb243de5918db532c8a6 References | ||||||
| Medium ( 3 ) | ||||||
| Under investigation | python | Medium | ||||
Summarytarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Under investigation | python | Medium | ||||
Summaryunicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Under investigation | python | Medium | ||||
SummaryThe ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Low ( 0 ) | ||||||
| Unknown ( 0 ) | ||||||
45 components
No components match your filter.
| Packages | Version |
|---|---|
| pyelftools ROOT | 0.33 |
| acl | 2.3.2 |
| attr | 2.5.2 |
| bash | 5.3 |
| bash-bootstrap | 5.3 |
| binutils | 2.46.1 |
| bison | 3.8.2 |
| bzip2 | 1.0.8 |
| coreutils | 9.11 |
| diffutils | 3.12 |
| expat | 2.7.5 |
| file | 5.47 |
| findutils | 4.10.0 |
| flex | 2.6.4 |
| gawk | 5.4.0 |
| gawk-bootstrap | 5.3.2 |
| gcc | 15.2.0 |
| gdbm | 1.26 |
| glibc | 2.43 |
| gmp | 6.3.0 |
| grep | 3.12 |
| gzip | 1.14 |
| libcap | 2.78 |
| libffi | 3.5.2 |
| linux_headers | 6.12.43 |
| lz4 | 1.10.0 |
| m4 | 1.4.21 |
| make | 4.4.1 |
| mpc | 1.4.0 |
| mpfr | 4.2.2 |
| ncurses | 6.5-20250830 |
| openssl | 3.6.3 |
| pcre2 | 10.47 |
| perl | 5.42.0 |
| pkgconf | 2.5.1 |
| python | 3.14.5 |
| readline | 8.3 |
| sed | 4.9 |
| setuptools | 82.0.1 |
| sqlite | 3.50.4 |
| tar | 1.35 |
| util-linux | 2.42.1 |
| xz | 5.8.3 |
| zlib | 1.3.2 |
| zstd | 1.5.7 |