Message 339053 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	krnick
Recipients	krnick
Date	2019-03-28.15:46:10
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1553787971.02.0.405823788778.issue36462@roundup.psfhosted.org>
In-reply-to

Content
Dear Python Community, we found a python module vulnerability during these days and we got a CVE number, CVE-2019-9674 after reported it to cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674 The reserved information of CVE-2019-9674 is shown below: [Description] Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. [Additional Information] The python zipfile library version 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8. Allow attackers to cause a denial of service (disk volume exhaustion) via a ZIP bomb. We have found python standard library zipfile doesn't have ZIP bomb detection and protection. If the user uses zipfile library to unzip a ZIP bomb file, this might cause a denial of service of the localhost. [VulnerabilityType Other] Denial-of-Service Our proposed solutions: 1.The compression ratio: Compression ratio = Uncompressed file size / Compressed file size Since ZIP bomb file has a higher compression ratio (1028) than normal ZIP file (1 to 3). Therefore, we calculate the compression ratio and set a threshold for the detection. 2.Nested zip file There is a high chance that it is zip bomb if it is a nested zip file. 3.By limiting resources such as CPU, memory, disk usage. Unsolved issue However, we have not yet determined the compression ratio. We temporarily set the compression ratio to 10, and if it exceeds, it may be a ZIP bomb. It is likely that detection may misjudge nested compressed files. For example, under normal circumstances, compressed files are included in the zip file. Our solution code： """For ratio""" def _exam_ratio(self, threshold=10): """If the ratio exceeds threshold, it may be a ZIP Bomb.""" sum_file_size = sum([data.file_size for data in self.filelist]) sum_compress_size = sum([data.compress_size for data in self.filelist]) ratio = sum_file_size / sum_compress_size if (ratio > threshold): raise BadZipFile("Zip Bomb Detected") """For Nested zip file""" if(members.filename.endswith(".zip")): raise BadZipFile("Nested Zip File Detected") Thanks!

Dear Python Community, 

we found a python module vulnerability during these days and we got a CVE number, CVE-2019-9674 after reported it to cve.mitre.org.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674


The reserved information of CVE-2019-9674 is shown below:

	   [Description]

           Lib/zipfile.py in Python through 3.7.2 allows remote 
           attackers to cause a denial of service (resource consumption) 
           via a ZIP bomb.


           [Additional Information]

           The python zipfile library version 3.2, 3.3, 3.4, 3.5, 3.6, 
           3.7, 3.8. Allow attackers to cause a denial of service (disk 
           volume exhaustion) via a ZIP bomb.


           We have found python standard library zipfile doesn't have 
           ZIP bomb detection and protection. If the user uses zipfile 
           library to unzip a ZIP bomb file, this might cause a denial 
           of service of the localhost.


          [VulnerabilityType Other]

          Denial-of-Service



Our proposed solutions:


    1.The compression ratio:

    Compression ratio = Uncompressed file size / Compressed file size

    Since ZIP bomb file has a higher compression ratio (1028) than 
    normal ZIP file (1 to 3). Therefore, we calculate the compression 
    ratio and set a threshold for the detection.

    2.Nested zip file

    There is a high chance that it is zip bomb if it is a nested zip 
    file. 

    3.By limiting resources such as CPU, memory, disk usage.


Unsolved issue

    However, we have not yet determined the compression ratio. We 
    temporarily set the compression ratio to 10, and if it exceeds, it 
    may be a ZIP bomb.

    It is likely that detection may misjudge nested compressed files. 
    For example, under normal circumstances, compressed files are 
    included in the zip file.


Our solution code：

"""For ratio"""

def _exam_ratio(self, threshold=10):
    """If the ratio exceeds threshold, it may be a ZIP Bomb."""
    sum_file_size = sum([data.file_size for data in self.filelist])
    sum_compress_size = sum([data.compress_size for data in self.filelist])
    ratio = sum_file_size / sum_compress_size
    if (ratio > threshold):
        raise BadZipFile("Zip Bomb Detected")

"""For Nested zip file"""

if(members.filename.endswith(".zip")):
    raise BadZipFile("Nested Zip File Detected")


Thanks!

History
Date	User	Action	Args
2019-03-28 15:46:11	krnick	set	recipients: + krnick
2019-03-28 15:46:11	krnick	set	messageid: <1553787971.02.0.405823788778.issue36462@roundup.psfhosted.org>
2019-03-28 15:46:10	krnick	link	issue36462 messages
2019-03-28 15:46:10	krnick	create