Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. References: https://bugs.python.org/issue36260 https://bugs.python.org/issue36462 https://github.com/python/cpython/blob/master/Lib/zipfile.py https://python-security.readthedocs.io/security.html#archives-and-zip-bomb
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1800750]
> through 3.7.2 Where is this information coming from? Also, upstream Python seem to have resolved this via documentation update. At least that's what the two bugs links suggest.
There is new fix for this issue, only the documentation has been updated to warn users: https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls
(In reply to Miro Hrončok from comment #2) > > through 3.7.2 > > Where is this information coming from? > > > Also, upstream Python seem to have resolved this via documentation update. > At least that's what the two bugs links suggest. It comes from Mitre's CVE page.
> There is new fix for this issue, only the documentation has been updated to warn users: > https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls Ooops, I wanted to write "there is *no* fix": it has been decided to not fix this issue upstream. Users are responsible to handle the case. Only the Python documentation has been updated.
Upstream does not consider this as a security flaw. As mentioned in Comment #3, ZIP bomb attacks have been documented as a possible pitfall in later versions of the Python zipfile module.
Statement: There is no plan to fix this flaw. Programs using the Python zipfile module should be responsible for validating external untrusted ZIP files. For further details, please refer to the following URLs: [1] https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls [2] https://python-security.readthedocs.io/security.html#archives-and-zip-bomb-cve-2019-9674