Bugzilla – Bug 869222
VUL-0: CVE-2013-7338: python: denial of service (endless loop) via corrupted ZIP files
Last modified: 2014-05-02 16:51:46 UTC
via oss-sec From: jmm@debian.org Date: Tue, 18 Mar 2014 18:08:40 +0100 Upstream fix: http://hg.python.org/cpython/rev/79ea4ce431b1 Original report: http://bugs.python.org/issue20078 quoting the python bug: I am using the zipfile module on a webserver which provides a service which processes files in zips uploaded by users, while hardening against zip bombs, I tried binary editing a zip to put in false file size information. The result is interesting, when with a ZIP_STORED file, or with carefully crafted ZIP_DEFLATED file (and perhaps ZIP_BZIP2 and ZIP_LZMA for craftier hackers than I), when the stated file size exceeds the size of the archive itself, ZipExtFile.read goes into an infinite loop, consuming 100% CPU. The following methods on such an archive all result in an infinite loop: ZipExtFile.read ZipExtFile.read(n) ZipExtFile.readlines ZipFile.extract ZipFile.extractall ZipExtFile.read1 silently returns corrupt data but does not hang. Obviously the module doesn't need to bend over backwards to deal gracefully with deliberately and maliciously crafted input, since all the user hopes for is to bring the program crashing down, but the 100% CPU infinite loop is probably one of the less satisfactory possible failure modes. It should either raise an exception or do something like read1 and silently return corrupt data. This is low priority except for security since unless a zip is maliciously crafted some kind of exception will almost certainly be raised due to a decompression or invalid zip exception.
(python in SLE already has zipfile.py, so it might already be affected. the patch would not directly apply though.)
Created attachment 582844 [details] malzip.py http://bugs.python.org/file33277/malzip.py reproducer
python3 in Factory and SLE12 already has the fix python2 appears to be affected as well, so we'll have to release fixes
bugbot adjusting priority
no, turns out python 2 is *not* affected. so all that remains is to fix python3 in 13.1. i'm preparing an update that fixes the other open VUL0 and VUL1 issues as well
This is an autogenerated message for OBS integration: This bug (869222) was mentioned in https://build.opensuse.org/request/show/227818 13.1 / python3
This is an autogenerated message for OBS integration: This bug (869222) was mentioned in https://build.opensuse.org/request/show/229292 Factory / python3
all affected distributions submitted, handing over to security
openSUSE-SU-2014:0498-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 856835,856836,863741,869222 CVE References: CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2013-7338,CVE-2014-1912 Sources used: openSUSE 13.1 (src): python3-3.3.5-5.4.1, python3-base-3.3.5-5.4.1, python3-doc-3.3.5-5.4.1
This is an autogenerated message for OBS integration: This bug (869222) was mentioned in https://build.opensuse.org/request/show/229636 12.3 / python3
openSUSE-SU-2014:0597-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 637176,863741,869222,871152 CVE References: CVE-2013-7338,CVE-2014-1912,CVE-2014-2667 Sources used: openSUSE 12.3 (src): python3-3.3.0-6.15.2, python3-base-3.3.0-6.15.1, python3-doc-3.3.0-6.15.1
Fixed and released. Closing bug.