[security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size #83522
Comments
|
Laish, Amit (GE Digital) reported a vulnerability in the zipfile module to the PSRT list. The module is vulnerable to ZIP Bomb: A 100 KB malicious ZIP file announces an uncompressed size of 1 byte but extracting it writes 100 MB on disk. Python 2.7 is vulnerable. Python 3.7 does not seem to be directly vulnerable. The proof of concept fails with: $ python3 poc.py
The size of the uncompressed data is: 1 bytes
Traceback (most recent call last):
File "poc.py", line 18, in <module>
extract() # The uncompressed size is more than 20GB :)
File "poc.py", line 6, in extract
zip_ref.extractall('./')
File "/usr/lib64/python3.7/zipfile.py", line 1636, in extractall
self._extract_member(zipinfo, path, pwd)
File "/usr/lib64/python3.7/zipfile.py", line 1691, in _extract_member
shutil.copyfileobj(source, target)
File "/usr/lib64/python3.7/shutil.py", line 79, in copyfileobj
buf = fsrc.read(length)
File "/usr/lib64/python3.7/zipfile.py", line 930, in read
data = self._read1(n)
File "/usr/lib64/python3.7/zipfile.py", line 1020, in _read1
self._update_crc(data)
File "/usr/lib64/python3.7/zipfile.py", line 948, in _update_crc
raise BadZipFile("Bad CRC-32 for file %r" % self.name)
zipfile.BadZipFile: Bad CRC-32 for file 'dummy1.txt'The malicious ZIP file size is 100 KB. Extracting it writes dummy1.txt: 100 MB only made of a single character "0" (zero, Unicode character U+0030 or byte 0x30) repeated on 100 MB. The original proof of concept used a 20 MB ZIP writing 20 GB on disk. It's just the same text file repeated 200 files. I created a smaller ZIP just to be able to upload it to bugs.python.org. Attached files:
-- The zipfile documentation describes "Decompression pitfalls": The zlib.decompress() function has a max_length parameter: See also my notes on "Archives and Zip Bomb": -- unzip program of Fedora unzip-6.0-44.fc31.x86_64 package has the same vulnerability: $ unzip malicious.zip
Archive: malicious.zip
inflating: dummy1.txt
$ unzip -l malicious.zip
Archive: malicious.zip
Length Date Time Name
--------- ---------- ----- --------- ------- -- According to Riccardo Schirone (Red Hat), p7zip, on the other hand, seems to use the minimum value between the header value and the file one, so it extracts only 1 byte and correctly complains about CRC failures. |
vstinner
added
3.7 (EOL)
vstinner
changed the title
vstinner
changed the title
|
Amit Laish reported the exact same vulnerability to rubyzip and they released a fix for it, CVE-2019-16892. |
|
Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)? The zipfile documentation now contains an explicit warning against ZIP bombs: """ The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion. https://docs.python.org/dev/library/zipfile.html#resources-limitations Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was closed as duplicate of bpo-36260. |
|
See also some discussion on regarding this class of vulnerability : https://bugs.python.org/issue36260 |
|
Is this 2.7 only issue? I think it is too late. |
I vaguely recall that Christian Heimes wrote something about Python 3 in a private email, but I cannot find this email anymore :-p In case of doubt, I marked Python 3 as affected as well. |
|
I close this issue as a duplicate of bpo-36260. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: