New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size #83522
Comments
Laish, Amit (GE Digital) reported a vulnerability in the zipfile module to the PSRT list. The module is vulnerable to ZIP Bomb: A 100 KB malicious ZIP file announces an uncompressed size of 1 byte but extracting it writes 100 MB on disk. Python 2.7 is vulnerable. Python 3.7 does not seem to be directly vulnerable. The proof of concept fails with: $ python3 poc.py
The size of the uncompressed data is: 1 bytes
Traceback (most recent call last):
File "poc.py", line 18, in <module>
extract() # The uncompressed size is more than 20GB :)
File "poc.py", line 6, in extract
zip_ref.extractall('./')
File "/usr/lib64/python3.7/zipfile.py", line 1636, in extractall
self._extract_member(zipinfo, path, pwd)
File "/usr/lib64/python3.7/zipfile.py", line 1691, in _extract_member
shutil.copyfileobj(source, target)
File "/usr/lib64/python3.7/shutil.py", line 79, in copyfileobj
buf = fsrc.read(length)
File "/usr/lib64/python3.7/zipfile.py", line 930, in read
data = self._read1(n)
File "/usr/lib64/python3.7/zipfile.py", line 1020, in _read1
self._update_crc(data)
File "/usr/lib64/python3.7/zipfile.py", line 948, in _update_crc
raise BadZipFile("Bad CRC-32 for file %r" % self.name)
zipfile.BadZipFile: Bad CRC-32 for file 'dummy1.txt' The malicious ZIP file size is 100 KB. Extracting it writes dummy1.txt: 100 MB only made of a single character "0" (zero, Unicode character U+0030 or byte 0x30) repeated on 100 MB. The original proof of concept used a 20 MB ZIP writing 20 GB on disk. It's just the same text file repeated 200 files. I created a smaller ZIP just to be able to upload it to bugs.python.org. Attached files:
-- The zipfile documentation describes "Decompression pitfalls": The zlib.decompress() function has a max_length parameter: See also my notes on "Archives and Zip Bomb": -- unzip program of Fedora unzip-6.0-44.fc31.x86_64 package has the same vulnerability: $ unzip malicious.zip
Archive: malicious.zip
inflating: dummy1.txt
$ unzip -l malicious.zip
Archive: malicious.zip
Length Date Time Name
--------- ---------- -----
--------- ------- -- According to Riccardo Schirone (Red Hat), p7zip, on the other hand, seems to use the minimum value between the header value and the file one, so it extracts only 1 byte and correctly complains about CRC failures. |
Amit Laish reported the exact same vulnerability to rubyzip and they released a fix for it, CVE-2019-16892. |
Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)? The zipfile documentation now contains an explicit warning against ZIP bombs: """ The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion. https://docs.python.org/dev/library/zipfile.html#resources-limitations Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was closed as duplicate of bpo-36260. |
See also some discussion on regarding this class of vulnerability : https://bugs.python.org/issue36260 |
Is this 2.7 only issue? I think it is too late. |
I vaguely recall that Christian Heimes wrote something about Python 3 in a private email, but I cannot find this email anymore :-p In case of doubt, I marked Python 3 as affected as well. |
I close this issue as a duplicate of bpo-36260. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: