oss-sec mailing list archives
CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 22 Aug 2024 11:56:35 -0700
-------- Forwarded Message --------Subject: [Security-announce][CVE-2024-8088] Infinite loop when iterating over zip archive entry names
Date: Thu, 22 Aug 2024 13:40:20 -0500 From: Seth Larson <seth () python org> Reply-To: security-sig () python org To: security-announce () python org There is a HIGH severity vulnerability affecting the CPython "zipfile" module.When iterating over names of entries in a zip archive (for example, methods of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-8088 * https://github.com/python/cpython/pull/122906 * https://github.com/python/cpython/issues/122905
Current thread:
- CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Alan Coopersmith (Aug 22)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 22)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 22)