classification
Title: [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: [security] CVE-2019-9674: Zip Bomb vulnerability
View: 36260
Assigned To: Nosy List: christian.heimes, rschiron, serhiy.storchaka, vstinner, xtreak
Priority: normal Keywords:

Created on 2020-01-15 09:57 by vstinner, last changed 2020-02-10 07:59 by vstinner. This issue is now closed.

Files
File name Uploaded Description Edit
create_zip.py vstinner, 2020-01-15 09:58
poc.py vstinner, 2020-01-15 10:00
malicious.zip vstinner, 2020-01-15 10:00
Messages (7)
msg360034 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-15 09:57
Laish, Amit (GE Digital) reported a vulnerability in the zipfile module to the PSRT list. The module is vulnerable to ZIP Bomb:
https://en.wikipedia.org/wiki/Zip_bomb

A 100 KB malicious ZIP file announces an uncompressed size of 1 byte but extracting it writes 100 MB on disk.

Python 2.7 is vulnerable.

Python 3.7 does not seem to be directly vulnerable. The proof of concept fails with:

$ python3 poc.py 
The size of the uncompressed data is: 1 bytes
Traceback (most recent call last):
  File "poc.py", line 18, in <module>
    extract() # The uncompressed size is more than 20GB :)
  File "poc.py", line 6, in extract
    zip_ref.extractall('./')
  File "/usr/lib64/python3.7/zipfile.py", line 1636, in extractall
    self._extract_member(zipinfo, path, pwd)
  File "/usr/lib64/python3.7/zipfile.py", line 1691, in _extract_member
    shutil.copyfileobj(source, target)
  File "/usr/lib64/python3.7/shutil.py", line 79, in copyfileobj
    buf = fsrc.read(length)
  File "/usr/lib64/python3.7/zipfile.py", line 930, in read
    data = self._read1(n)
  File "/usr/lib64/python3.7/zipfile.py", line 1020, in _read1
    self._update_crc(data)
  File "/usr/lib64/python3.7/zipfile.py", line 948, in _update_crc
    raise BadZipFile("Bad CRC-32 for file %r" % self.name)
zipfile.BadZipFile: Bad CRC-32 for file 'dummy1.txt'

The malicious ZIP file size is 100 KB. Extracting it writes dummy1.txt: 100 MB only made of a single character "0" (zero, Unicode character U+0030 or byte 0x30) repeated on 100 MB.

The original proof of concept used a 20 MB ZIP writing 20 GB on disk. It's just the same text file repeated 200 files. I created a smaller ZIP just to be able to upload it to bugs.python.org.

Attached files:

* create_zip.py: created malicious.zip from valid.zip: modify the uncompressed size of compressed dummy1.txt
* valid.zip: compressed dummy1.txt, file size is 100 KB
* poc.py: extract malicious.zip

--

The zipfile documentation describes "Decompression pitfalls":
https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls

The zlib.decompress() function has a max_length parameter:
https://docs.python.org/dev/library/zlib.html#zlib.Decompress.decompress

See also my notes on "Archives and Zip Bomb":
https://python-security.readthedocs.io/security.html#archives-and-zip-bomb

--

unzip program of Fedora unzip-6.0-44.fc31.x86_64 package has the same vulnerability:

$ unzip malicious.zip 
Archive:  malicious.zip
  inflating: dummy1.txt 

$ unzip -l malicious.zip 
Archive:  malicious.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        1  03-12-2019 14:10   dummy1.txt
---------                     -------
        1                     1 file

--

According to Riccardo Schirone (Red Hat), p7zip, on the other hand, seems to use the minimum value between the header value and the file one, so it extracts only 1 byte and correctly complains about CRC failures.
msg360036 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-15 10:06
Amit Laish reported the exact same vulnerability to rubyzip and they released a fix for it, CVE-2019-16892.
msg360037 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-15 10:12
Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)?

The zipfile documentation now contains an explicit warning against ZIP bombs:

"""
Resources limitations

The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion.
"""

https://docs.python.org/dev/library/zipfile.html#resources-limitations

Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was closed as duplicate of bpo-36260.
msg360038 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2020-01-15 10:15
See also some discussion on regarding this class of vulnerability : https://bugs.python.org/issue36260
msg360045 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2020-01-15 12:01
Is this 2.7 only issue? I think it is too late.
msg360053 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-15 13:18
> Is this 2.7 only issue? I think it is too late.

I vaguely recall that Christian Heimes wrote something about Python 3 in a private email, but I cannot find this email anymore :-p In case of doubt, I marked Python 3 as affected as well.
msg361672 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-02-10 07:59
I close this issue as a duplicate of bpo-36260.
History
Date User Action Args
2020-02-10 07:59:22vstinnersetstatus: open -> closed
superseder: [security] CVE-2019-9674: Zip Bomb vulnerability
messages: + msg361672

resolution: duplicate
stage: resolved
2020-01-15 13:18:10vstinnersetmessages: + msg360053
2020-01-15 12:01:19serhiy.storchakasetmessages: + msg360045
2020-01-15 10:15:58xtreaksetnosy: + xtreak, serhiy.storchaka
messages: + msg360038
2020-01-15 10:12:31vstinnersetmessages: + msg360037
2020-01-15 10:06:21vstinnersetmessages: + msg360036
2020-01-15 10:00:52vstinnersetnosy: + christian.heimes, rschiron

title: zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size -> [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size
2020-01-15 10:00:34vstinnersetfiles: + malicious.zip
2020-01-15 10:00:24vstinnersetfiles: + poc.py
2020-01-15 09:58:21vstinnersetfiles: + create_zip.py
2020-01-15 09:57:18vstinnercreate