6 Apr
2024
6 Apr
'24
12:31 a.m.
Hello, I am a bit confused about this. On Tue, 2024-03-19 at 11:10 -0400, Ee Durbin wrote:
An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.
It seems that 3.11.8 and 3.12.2 already contained a patch for this: $ git describe --contains a956e510f6336d5ae111ba429a61c3ade30a7549 v3.11.8~173 $ git describe --contains fa181fcf2156f703347b03a3b1966ce47be8ab3b v3.12.2~196
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
-- Best regards, Michał Górny