Closed as not planned
Description
Security Vulnerability Alert
Package: python v3.10.8
Vulnerability ID: BIT-python-2024-8088
Source: Open Source Vulnerabilities (OSV)
Severity:
Score: 0.0
Summary
Details
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected.
When iterating over names of entries in a zip archive (for example, methods
of "zipfile.Path" like "namelist()", "iterdir()", etc)
the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.
References
- http://www.openwall.com/lists/oss-security/2024/08/22/1
- http://www.openwall.com/lists/oss-security/2024/08/22/4
- http://www.openwall.com/lists/oss-security/2024/08/23/1
- http://www.openwall.com/lists/oss-security/2024/08/23/2
- python/cpython@0aa1ee2
- python/cpython@2231286
- python/cpython@795f259
- python/cpython@7bc367e
- python/cpython@7e8883a
- python/cpython@8c73489
- python/cpython@95b073b
- python/cpython@9620552
- python/cpython@dcc5182
- python/cpython@e0264a6
- python/cpython@fc0b825
- Malformed payload can lead to infinite loops in zipfile.Path python/cpython#122905
- zipfile.Path regression python/cpython#123270
- gh-122905: Sanitize names in zipfile.Path. python/cpython#122906
- https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
- https://nvd.nist.gov/vuln/detail/CVE-2024-8088
- https://security.netapp.com/advisory/ntap-20241011-0010/