Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malformed payload can lead to infinite loops in zipfile.Path #122905

Closed
jaraco opened this issue Aug 11, 2024 · 1 comment · Fixed by #122906
Closed

Malformed payload can lead to infinite loops in zipfile.Path #122905

jaraco opened this issue Aug 11, 2024 · 1 comment · Fixed by #122906
Assignees
@jaraco
Labels
type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@jaraco
Copy link
Member

jaraco commented Aug 11, 2024
edited by bedevere-app bot
Loading

As reported in jaraco/zipp#119, malformed paths in a zipfile can lead to undesirable behaviors (infinite loops) when traversed using zipfile.Path.

This issue tracks porting that fix to CPython.

Linked PRs
@jaraco jaraco self-assigned this Aug 11, 2024
@jaraco jaraco added type-bug An unexpected behavior, bug, or error type-security A security issue labels Aug 11, 2024
jaraco added a commit to jaraco/cpython that referenced this issue Aug 11, 2024
@jaraco
pythongh-122905: Sanitize names in zipfile.Path.
1e15a83 
Closes python#122905; Ported from zipp 3.19.1; ref jaraco/zipp#119.
This was referenced Aug 11, 2024
Merged
Merged
jaraco added a commit that referenced this issue Aug 11, 2024
@jaraco
gh-122905: Sanitize names in zipfile.Path. (#122906)
9cd0326 
Ported from zipp 3.19.1; ref jaraco/zipp#119.
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Aug 11, 2024
@jaraco @miss-islington
pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)
d6402c8 
Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Aug 11, 2024
@jaraco @miss-islington
pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)
ee9f405 
Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
This was referenced Aug 11, 2024
Merged
Merged
jaraco added a commit to jaraco/cpython that referenced this issue Aug 12, 2024
@jaraco
pythongh-122905: Sanitize names in zipfile.Path. (python#122906)
0d480f2 
Ported from zipp 3.19.1; ref jaraco/zipp#119.

(cherry picked from commit 9cd0326)
jaraco added a commit to jaraco/cpython that referenced this issue Aug 12, 2024
@jaraco
[3.11] pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906
ed03fe9 
)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
@bedevere-app bedevere-app bot mentioned this issue Aug 12, 2024
Merged
jaraco pushed a commit that referenced this issue Aug 12, 2024
@miss-islington
[3.13] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (#122922)
8c73489
jaraco pushed a commit that referenced this issue Aug 12, 2024
@miss-islington
[3.12] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (#122923)
dcc5182
pablogsal pushed a commit that referenced this issue Aug 19, 2024
@jaraco
[3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (#122925)
795f259 
* gh-122905: Sanitize names in zipfile.Path. (#122906)

Ported from zipp 3.19.1; ref jaraco/zipp#119.

(cherry picked from commit 9cd0326)

* [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
jaraco added a commit to jaraco/cpython that referenced this issue Aug 19, 2024
@jaraco
[3.10] [3.11] pythongh-122905: Sanitize names in zipfile.Path. (pytho…
d82745e 
…nGH-122906) (pythonGH-122925)

* pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.

(cherry picked from commit 9cd0326)

* [3.11] pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

(cherry picked from commit 795f259)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
@bedevere-app bedevere-app bot mentioned this issue Aug 19, 2024
Merged
jaraco added a commit to jaraco/cpython that referenced this issue Aug 19, 2024
@jaraco
[3.9] [3.11] pythongh-122905: Sanitize names in zipfile.Path. (python…
8973dbf 
…GH-122906) (pythonGH-122925)

* pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.

(cherry picked from commit 9cd0326)

* [3.11] pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

(cherry picked from commit 795f259)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
This was referenced Aug 19, 2024
Closed
Closed
blhsing pushed a commit to blhsing/cpython that referenced this issue Aug 22, 2024
@jaraco @blhsing
pythongh-122905: Sanitize names in zipfile.Path. (python#122906)
c0d9e10 
Ported from zipp 3.19.1; ref jaraco/zipp#119.
@obfusk
Copy link
Contributor

obfusk commented Aug 22, 2024
edited
Loading

I provided some additional analysis here: https://www.openwall.com/lists/oss-security/2024/08/22/4
Edit: and here: https://www.openwall.com/lists/oss-security/2024/08/23/1

Also, the CVE and security announcement mistakenly say this affects methods of zipfile.ZipFile instead of zipfile.Path.

pablogsal pushed a commit that referenced this issue Aug 22, 2024
@jaraco
[3.10] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (#123160)
e0264a6 
[3.10] [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (GH-122925)

* gh-122905: Sanitize names in zipfile.Path. (GH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.

(cherry picked from commit 9cd0326)

* [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906)

Ported from zipp 3.19.1; ref jaraco/zippGH-119.
(cherry picked from commit 9cd0326)

(cherry picked from commit 795f259)
algitbot pushed a commit to alpinelinux/aports that referenced this issue Aug 23, 2024
@ncopa
main/python3: fix CVE-2024-8088
be30c12 
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip
archive entry names.

- python/cpython#122905
- https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
algitbot pushed a commit to alpinelinux/aports that referenced this issue Aug 23, 2024
@ncopa
main/python3: fix CVE-2024-8088
b223e20 
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip
archive entry names.

- python/cpython#122905
- https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
algitbot pushed a commit to alpinelinux/aports that referenced this issue Aug 23, 2024
main/python3: fix CVE-2024-8088
f0712e5 
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip
archive entry names.

- python/cpython#122905
- https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
stratakis pushed a commit to stratakis/cpython that referenced this issue Aug 23, 2024
@miss-islington @stratakis
00436: [CVE-2024-8088] pythongh-122905: Sanitize names in zipfile.Path.
7128553
stratakis pushed a commit to stratakis/cpython that referenced this issue Aug 23, 2024
@jaraco @stratakis
00436: [CVE-2024-8088] pythongh-122905: Sanitize names in zipfile.Path.
0479a2a 
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
stratakis pushed a commit to stratakis/cpython that referenced this issue Aug 23, 2024
@jaraco @stratakis
00436: [CVE-2024-8088] pythongh-122905: Sanitize names in zipfile.Path.
431bbe9 
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
bell-sw pushed a commit to bell-sw/alpaquita-aports that referenced this issue Aug 23, 2024
@konfetka1989
core/python3: fix CVE-2024-8088
4618dc5 
[ commit be30c12bfd365f7f008f53c6c1031560ef019bf1 ]

Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip
archive entry names.

- python/cpython#122905
- https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
@jaraco jaraco mentioned this issue Aug 26, 2024
Merged
algitbot pushed a commit to alpinelinux/aports that referenced this issue Aug 27, 2024
@ncopa
main/python3: fix CVE-2024-8088
99375d3 
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip
archive entry names.

- python/cpython#122905
- https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
algitbot pushed a commit to alpinelinux/aports that referenced this issue Aug 27, 2024
main/python3: fix CVE-2024-8088
e795bfc 
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip
archive entry names.

- python/cpython#122905
- https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
hroncok pushed a commit to fedora-python/cpython that referenced this issue Aug 28, 2024
@miss-islington @jaraco @stratakis
00436: [CVE-2024-8088] pythongh-122905: Sanitize names in zipfile.Path.
59aca7f 
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jaraco jaraco

Labels
type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-122905: Sanitize names in zipfile.Path. jaraco/cpython
2 participants
@jaraco @obfusk