-------- Forwarded Message --------
Subject: [Security-announce][CVE-2024-8088] Infinite loop when iterating over
zip archive entry names
Date: Thu, 22 Aug 2024 13:40:20 -0500
From: Seth Larson <s...@python.org>
Reply-To: security-...@python.org
To: security-annou...@python.org
There is a HIGH severity vulnerability affecting the CPython "zipfile" module.
When iterating over names of entries in a zip archive (for example, methods of
"zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the
process can be put into an infinite loop with a maliciously crafted zip archive.
This defect applies when reading only metadata or extracting the contents of the
zip archive. Programs that are not handling user-controlled zip archives are not
affected.
Please see the linked CVE ID for the latest information on affected versions:
* https://www.cve.org/CVERecord?id=CVE-2024-8088
* https://github.com/python/cpython/pull/122906
* https://github.com/python/cpython/issues/122905
