Bug 1800749 (CVE-2019-9674)

Summary: CVE-2019-9674 python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carl, cstratak, dmalcolm, hhorak, jorton, kevin, mcascell, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, steve.traylen, TicoTimo, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A ZIP bomb attack was found in the Python zipfile module. A remote attacker could abuse this flaw by providing a specially crafted ZIP file that, when decompressed by zipfile, would exhaust system resources resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-20 14:40:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1800750    
Bug Blocks: 1800751    

Description Pedro Sampaio 2020-02-07 20:18:58 UTC 
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

References:

https://bugs.python.org/issue36260
https://bugs.python.org/issue36462
https://github.com/python/cpython/blob/master/Lib/zipfile.py
https://python-security.readthedocs.io/security.html#archives-and-zip-bomb
Comment 1 Pedro Sampaio 2020-02-07 20:19:27 UTC 
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1800750]
Comment 2 Miro Hrončok 2020-02-07 21:38:31 UTC 
> through 3.7.2

Where is this information coming from?


Also, upstream Python seem to have resolved this via documentation update. At least that's what the two bugs links suggest.
Comment 3 Victor Stinner 2020-02-10 07:58:25 UTC 
There is new fix for this issue, only the documentation has been updated to warn users:
https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls
Comment 4 Pedro Sampaio 2020-02-14 19:29:03 UTC 
(In reply to Miro Hrončok from comment #2)
> > through 3.7.2
> 
> Where is this information coming from?
> 
> 
> Also, upstream Python seem to have resolved this via documentation update.
> At least that's what the two bugs links suggest.

It comes from Mitre's CVE page.
Comment 5 Victor Stinner 2020-02-17 10:02:10 UTC 
> There is new fix for this issue, only the documentation has been updated to warn users:
> https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls

Ooops, I wanted to write "there is *no* fix": it has been decided to not fix this issue upstream. Users are responsible to handle the case. Only the Python documentation 
has been updated.
Comment 6 Mauro Matteo Cascella 2020-02-19 17:01:46 UTC 
Upstream does not consider this as a security flaw. As mentioned in Comment #3, ZIP bomb attacks have been documented as a possible pitfall in later versions of the Python zipfile module.
Comment 8 Mauro Matteo Cascella 2020-02-21 14:01:17 UTC 
Statement:

There is no plan to fix this flaw. Programs using the Python zipfile module should be responsible for validating external untrusted ZIP files. For further details, please refer to the following URLs:

[1] https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls

[2] https://python-security.readthedocs.io/security.html#archives-and-zip-bomb-cve-2019-9674