[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

STINNER Victor Wed, 15 Jan 2020 02:13:13 -0800


STINNER Victor <vstin...@python.org> added the comment:


Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb 
vulnerability" which has been closed by documenting the issue (without touching 
zipfile.py)?

The zipfile documentation now contains an explicit warning against ZIP bombs:

"""
Resources limitations

The lack of memory or disk volume would lead to decompression failed. For 
example, decompression bombs (aka ZIP bomb) apply to zipfile library that can 
cause disk volume exhaustion.
"""

https://docs.python.org/dev/library/zipfile.html#resources-limitations

Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py" was 
closed as duplicate of bpo-36260.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue39341>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

Reply via email to