Bug 2402342 (CVE-2025-8291)
| Summary: | CVE-2025-8291 cpython: python: Python zipfile End of Central Directory (EOCD) Locator record offset not checked | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bbrownin, dfreiber, drow, gotiwari, jburrell, jgrulich, jhorak, ljawale, luizcosta, mvyas, nweather, rbobbitt, tpopela, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A zip file handling flaw has been discovered in the python standard library `zipfile` module. The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2402857, 2402858, 2402859, 2402864, 2402865, 2402866, 2402867, 2402869, 2402874, 2402875, 2402876, 2402860, 2402861, 2402862, 2402863, 2402868, 2402870, 2402871, 2402872, 2402873, 2402877 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-10-07 19:01:48 UTC
|