* Alan Coopersmith <[email protected]> [2024-08-22 20:56]:
> -------- Forwarded Message --------
> Subject: [Security-announce][CVE-2024-8088] Infinite loop when iterating
> over zip archive entry names
> Date: Thu, 22 Aug 2024 13:40:20 -0500
> From: Seth Larson <[email protected]>
> Reply-To: [email protected]
> To: [email protected]
>
> There is a HIGH severity vulnerability affecting the CPython "zipfile" module.
>
> When iterating over names of entries in a zip archive (for example, methods
> of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc)
> the process can be put into an infinite loop with a maliciously crafted
> zip archive. This defect applies when reading only metadata or extracting
> the contents of the zip archive. Programs that are not handling
> user-controlled zip archives are not affected.
>
> Please see the linked CVE ID for the latest information on affected versions:
>
> * https://www.cve.org/CVERecord?id=CVE-2024-8088
> * https://github.com/python/cpython/pull/122906
> * https://github.com/python/cpython/issues/122905
A small correction/addendum based on reading the vulnerability report and the PR
that fixes this (as well as being quite familiar with Python zipfile.ZipFile
internals and confused how this would affect it): it's not zipfile.ZipFile and
its methods that are affected, at least not directly, but zipfile.Path. The
issue being this code in zipfile._path._ancestry():
path = path.rstrip(posixpath.sep)
while path and path != posixpath.sep:
yield path
path, tail = posixpath.split(path)
Which results in an infinite loop because for example posixpath.split("//") ==
("//", "") but "//" != posixpath.sep:
>>> it = zipfile._path._parents("//foo")
>>> next(it)
'//'
>>> next(it)
'//'
>>> next(it)
'//'
The infinite loop has been fixed by sanitising the paths.
- Fay
