2276525 – (CVE-2024-0450) CVE-2024-0450 python: The zipfile module is vulnerable to zip-bombs leading to denial of service

Bug 2276525 (CVE-2024-0450) - CVE-2024-0450 python: The zipfile module is vulnerable to zip-bombs leading to denial of service

Summary: CVE-2024-0450 python: The zipfile module is vulnerable to zip-bombs leading t...

Keywords:
Status:	NEW
Alias:	CVE-2024-0450
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2276519
TreeView+	depends on / blocked

Reported:	2024-04-22 20:57 UTC by Marco Benatto
Modified:	2024-05-07 13:28 UTC (History)
CC List:	28 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Python/CPython 'zipfile' that can allow a zip-bomb type of attack. An attacker may craft a zip file format, leading to a Denial of Service when processed.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-04-22 20:57:41 UTC

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
https://github.com/python/cpython/issues/109858
https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
https://www.bamsoftware.com/hacks/zipbomb/

Note You need to log in before you can comment on or make changes to this bug.

aarif
agarcial
aoconnor
aprice
asegurap
bdettelb
caswilli
dfreiber
drow
fjansen
hkataria
jburrell
jmitchel
jsamir
jsherril
jtanner
kaycoth
kholdawa
kshier
mpierce
orabin
psegedy
sidakwo
sthirugn
vkrizan
vkumar
xiaoxwan
zzhou