oss-sec mailing list archives
Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names
From: Fay Stegerman <flx () obfusk net>
Date: Thu, 22 Aug 2024 23:12:57 +0200
* Alan Coopersmith <alan.coopersmith () oracle com> [2024-08-22 20:56]:
-------- Forwarded Message -------- Subject: [Security-announce][CVE-2024-8088] Infinite loop when iterating over zip archive entry names Date: Thu, 22 Aug 2024 13:40:20 -0500 From: Seth Larson <seth () python org> Reply-To: security-sig () python org To: security-announce () python org There is a HIGH severity vulnerability affecting the CPython "zipfile" module. When iterating over names of entries in a zip archive (for example, methods of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-8088 * https://github.com/python/cpython/pull/122906 * https://github.com/python/cpython/issues/122905
A small correction/addendum based on reading the vulnerability report and the PR
that fixes this (as well as being quite familiar with Python zipfile.ZipFile
internals and confused how this would affect it): it's not zipfile.ZipFile and
its methods that are affected, at least not directly, but zipfile.Path. The
issue being this code in zipfile._path._ancestry():
path = path.rstrip(posixpath.sep)
while path and path != posixpath.sep:
yield path
path, tail = posixpath.split(path)
Which results in an infinite loop because for example posixpath.split("//") ==
("//", "") but "//" != posixpath.sep:
>>> it = zipfile._path._parents("//foo")
>>> next(it)
'//'
>>> next(it)
'//'
>>> next(it)
'//'
The infinite loop has been fixed by sanitising the paths.
- Fay
Current thread:
- CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Alan Coopersmith (Aug 22)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 22)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 22)