Author vstinner
Recipients vstinner
Date 2020-01-15.09:57:16
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Laish, Amit (GE Digital) reported a vulnerability in the zipfile module to the PSRT list. The module is vulnerable to ZIP Bomb:

A 100 KB malicious ZIP file announces an uncompressed size of 1 byte but extracting it writes 100 MB on disk.

Python 2.7 is vulnerable.

Python 3.7 does not seem to be directly vulnerable. The proof of concept fails with:

$ python3 
The size of the uncompressed data is: 1 bytes
Traceback (most recent call last):
  File "", line 18, in <module>
    extract() # The uncompressed size is more than 20GB :)
  File "", line 6, in extract
  File "/usr/lib64/python3.7/", line 1636, in extractall
    self._extract_member(zipinfo, path, pwd)
  File "/usr/lib64/python3.7/", line 1691, in _extract_member
    shutil.copyfileobj(source, target)
  File "/usr/lib64/python3.7/", line 79, in copyfileobj
    buf =
  File "/usr/lib64/python3.7/", line 930, in read
    data = self._read1(n)
  File "/usr/lib64/python3.7/", line 1020, in _read1
  File "/usr/lib64/python3.7/", line 948, in _update_crc
    raise BadZipFile("Bad CRC-32 for file %r" %
zipfile.BadZipFile: Bad CRC-32 for file 'dummy1.txt'

The malicious ZIP file size is 100 KB. Extracting it writes dummy1.txt: 100 MB only made of a single character "0" (zero, Unicode character U+0030 or byte 0x30) repeated on 100 MB.

The original proof of concept used a 20 MB ZIP writing 20 GB on disk. It's just the same text file repeated 200 files. I created a smaller ZIP just to be able to upload it to

Attached files:

* created from modify the uncompressed size of compressed dummy1.txt
* compressed dummy1.txt, file size is 100 KB
* extract


The zipfile documentation describes "Decompression pitfalls":

The zlib.decompress() function has a max_length parameter:

See also my notes on "Archives and Zip Bomb":


unzip program of Fedora unzip-6.0-44.fc31.x86_64 package has the same vulnerability:

$ unzip 
  inflating: dummy1.txt 

$ unzip -l 
  Length      Date    Time    Name
---------  ---------- -----   ----
        1  03-12-2019 14:10   dummy1.txt
---------                     -------
        1                     1 file


According to Riccardo Schirone (Red Hat), p7zip, on the other hand, seems to use the minimum value between the header value and the file one, so it extracts only 1 byte and correctly complains about CRC failures.
Date User Action Args
2020-01-15 09:57:18vstinnersetrecipients: + vstinner
2020-01-15 09:57:18vstinnersetmessageid: <>
2020-01-15 09:57:18vstinnerlinkissue39341 messages
2020-01-15 09:57:16vstinnercreate