An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b https://github.com/python/cpython/issues/109858 https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/ https://www.bamsoftware.com/hacks/zipbomb/
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3347 https://access.redhat.com/errata/RHSA-2024:3347
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:3391 https://access.redhat.com/errata/RHSA-2024:3391
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3466 https://access.redhat.com/errata/RHSA-2024:3466
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4058 https://access.redhat.com/errata/RHSA-2024:4058
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4078 https://access.redhat.com/errata/RHSA-2024:4078
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4243 https://access.redhat.com/errata/RHSA-2024:4243
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:4406 https://access.redhat.com/errata/RHSA-2024:4406
This issue has been addressed in the following products: Service Interconnect 1.4 for RHEL 9 Via RHSA-2024:4865 https://access.redhat.com/errata/RHSA-2024:4865
This issue has been addressed in the following products: Service Interconnect 1 for RHEL 9 Via RHSA-2024:4871 https://access.redhat.com/errata/RHSA-2024:4871