STAC-25000: VEX CVE-2026-9669 (bz2 decompressor reuse) as not_affected for stackstate-k8s-agent

[LouisLotter]

STAC-25000

Adds a Lane 2 not_affected statement for CVE-2026-9669 to the existing pkg:oci/stackstate-k8s-agent document, subcomponent pkg:generic/python@3.13.13, justification vulnerable_code_not_in_execute_path.

The CVE

CVE-2026-9669 (HIGH, disclosed 2026-06-08): if an application catches the OSError from a failed bz2.BZ2Decompressor.decompress() call and then calls decompress() again on the same instance, crafted input can resume the decompressor from an invalid internal state and perform out-of-bounds stack writes — a process crash (DoS), not code execution. Fix merged upstream (python/cpython#150600) with backports, but no released 3.13.x contains it yet, so the embedded interpreter cannot be patched by upgrading. Sibling of the already-vexed CVE-2026-6100 (same reuse pattern, MemoryError variant).

Evidence (review 2026-06-10, image quay.io/stackstate/stackstate-k8s-agent:02f4adaa)

First-party source — no bz2 usage:

• git grep -n "BZ2Decompressor" 02f4adaa in stackstate-agent → zero matches.
• git grep -liE "bz2|bzip2" 02f4adaa → only Go archive/bzip2 consumers (pkg/security/resolvers/file/analyzer.go etc. — compiled Go, not the embedded CPython) and tasks/kernel_matrix_testing/gdb.py (a .tar.bz2 filename string in dev-only invoke tooling, not packaged into the image per Dockerfiles/agent/Dockerfile).
• stackstate-agent-integrations: git grep -niE "import bz2|from bz2|BZ2" → zero matches.

Image inspection — stdlib is the only BZ2Decompressor consumer:

$ grep -rl "BZ2Decompressor" /opt/stackstate-agent/embedded/lib/python3.13/ /opt/stackstate-agent/checks.d
.../python3.13/tarfile.py
.../python3.13/zipfile/__init__.py
.../python3.13/lib-dynload/_bz2.cpython-313-aarch64-linux-gnu.so
.../python3.13/encodings/bz2_codec.py
.../python3.13/bz2.py
(+ pyc caches; zero hits in site-packages or checks.d)

Stdlib consumers never reuse a failed decompressor instance (verified in the image's files):

• zipfile/__init__.py:807 — _get_decompressor returns a fresh bz2.BZ2Decompressor() per archive member.
• _compression.py:53,88,128 (backs bz2.BZ2File/bz2.open) — constructs a new decompressor at init, next-stream, and rewind(); never retries a failed instance.
• tarfile.py:387-388,549 — sets self.exception = OSError and maps a decompress failure to ReadError without calling decompress() again on the same object.

The vulnerable catch-OSError-and-retry-same-instance pattern therefore does not exist anywhere in the shipped image.

Action statement

Bump the omnibus-embedded CPython (omnibus/config/software/python3.rb) to the first 3.13.x release containing the upstream fix, then retire this statement.

tools/build_index.py --check passes (index regenerated, updated_at only).

🤖 Generated with Claude Code