Bug 1800749 (CVE-2019-9674) - CVE-2019-9674 python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py
Summary: CVE-2019-9674 python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-9674
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1800750
Blocks: 1800751
TreeView+ depends on / blocked
 
Reported: 2020-02-07 20:18 UTC by Pedro Sampaio
Modified: 2024-03-26 09:12 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A ZIP bomb attack was found in the Python zipfile module. A remote attacker could abuse this flaw by providing a specially crafted ZIP file that, when decompressed by zipfile, would exhaust system resources resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-02-20 14:40:42 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2020-02-07 20:18:58 UTC
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

References:

https://bugs.python.org/issue36260
https://bugs.python.org/issue36462
https://github.com/python/cpython/blob/master/Lib/zipfile.py
https://python-security.readthedocs.io/security.html#archives-and-zip-bomb

Comment 1 Pedro Sampaio 2020-02-07 20:19:27 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1800750]

Comment 2 Miro Hrončok 2020-02-07 21:38:31 UTC
> through 3.7.2

Where is this information coming from?


Also, upstream Python seem to have resolved this via documentation update. At least that's what the two bugs links suggest.

Comment 3 Victor Stinner 2020-02-10 07:58:25 UTC
There is new fix for this issue, only the documentation has been updated to warn users:
https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls

Comment 4 Pedro Sampaio 2020-02-14 19:29:03 UTC
(In reply to Miro Hrončok from comment #2)
> > through 3.7.2
> 
> Where is this information coming from?
> 
> 
> Also, upstream Python seem to have resolved this via documentation update.
> At least that's what the two bugs links suggest.

It comes from Mitre's CVE page.

Comment 5 Victor Stinner 2020-02-17 10:02:10 UTC
> There is new fix for this issue, only the documentation has been updated to warn users:
> https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls

Ooops, I wanted to write "there is *no* fix": it has been decided to not fix this issue upstream. Users are responsible to handle the case. Only the Python documentation 
has been updated.

Comment 6 Mauro Matteo Cascella 2020-02-19 17:01:46 UTC
Upstream does not consider this as a security flaw. As mentioned in Comment #3, ZIP bomb attacks have been documented as a possible pitfall in later versions of the Python zipfile module.

Comment 8 Mauro Matteo Cascella 2020-02-21 14:01:17 UTC
Statement:

There is no plan to fix this flaw. Programs using the Python zipfile module should be responsible for validating external untrusted ZIP files. For further details, please refer to the following URLs:

[1] https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls

[2] https://python-security.readthedocs.io/security.html#archives-and-zip-bomb-cve-2019-9674


Note You need to log in before you can comment on or make changes to this bug.