Bug 2307370 (CVE-2024-8088) - CVE-2024-8088 python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service [NEEDINFO]
Summary: CVE-2024-8088 python: cpython: Iterating over a malicious ZIP file may lead t...
Keywords:
Status: NEW
Alias: CVE-2024-8088
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2307457 2307458 2307459 2307460 2307461 2307462 2307463 2307464 2307465 2307466
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-22 19:20 UTC by OSIDB Bzimport
Modified: 2024-10-11 01:27 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Python's zipfile module. When iterating over the entries of a zip archive, the process can enter into an infinite loop state and become unresponsive. This flaw allows an attacker to craft a malicious ZIP archive, leading to a denial of service from the application consuming the zipfile module. Only applications that handle user-controlled zip archives are affected by this vulnerability.
Clone Of:
Environment:
Last Closed:
Embargoed:
mijjapur: needinfo? (prodsec-dev)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:6415 0 None None None 2024-09-05 09:35:39 UTC
Red Hat Product Errata RHSA-2024:5962 0 None None None 2024-08-28 18:51:56 UTC
Red Hat Product Errata RHSA-2024:6961 0 None None None 2024-09-24 00:48:33 UTC
Red Hat Product Errata RHSA-2024:6962 0 None None None 2024-09-24 00:48:46 UTC

Description OSIDB Bzimport 2024-08-22 19:20:34 UTC
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module.





When iterating over names of entries in a zip archive (for example, methods
of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc)
the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.

Comment 1 errata-xmlrpc 2024-08-28 18:51:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5962 https://access.redhat.com/errata/RHSA-2024:5962

Comment 2 Fedora Update System 2024-09-12 01:27:58 UTC
FEDORA-2024-e887a10dee (python3.13-3.13.0~rc2-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Fedora Update System 2024-09-17 02:07:35 UTC
FEDORA-2024-f2fc325c40 (python3.13-3.13.0~rc2-1.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 errata-xmlrpc 2024-09-24 00:48:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6961 https://access.redhat.com/errata/RHSA-2024:6961

Comment 5 errata-xmlrpc 2024-09-24 00:48:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6962 https://access.redhat.com/errata/RHSA-2024:6962


Note You need to log in before you can comment on or make changes to this bug.