Message 360037 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	christian.heimes, rschiron, vstinner
Date	2020-01-15.10:12:31
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1579083151.37.0.581430727947.issue39341@roundup.psfhosted.org>
In-reply-to

Content
Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)? The zipfile documentation now contains an explicit warning against ZIP bombs: """ Resources limitations The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion. """ https://docs.python.org/dev/library/zipfile.html#resources-limitations Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was closed as duplicate of bpo-36260.

Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)?

The zipfile documentation now contains an explicit warning against ZIP bombs:

"""
Resources limitations

The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion.
"""

https://docs.python.org/dev/library/zipfile.html#resources-limitations

Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was closed as duplicate of bpo-36260.

History
Date	User	Action	Args
2020-01-15 10:12:31	vstinner	set	recipients: + vstinner, christian.heimes, rschiron
2020-01-15 10:12:31	vstinner	set	messageid: <1579083151.37.0.581430727947.issue39341@roundup.psfhosted.org>
2020-01-15 10:12:31	vstinner	link	issue39341 messages
2020-01-15 10:12:31	vstinner	create