[issue39064] ValueError in zipfile.ZipFile
jvoisin added the comment: Yes, I can reproduce it: ``` $ python3 --version Python 3.9.9 $ python3.9 ziprepo.py ./crash-4da08e9ababa495ac51ecad588fd61081a66b5bb6e7a0e791f44907fa274ec62 Traceback (most recent call last): File "/home/jvoisin/Downloads/ziprepo.py", line 4, in zipfile.ZipFile(sys.argv[1]) File "/usr/lib/python3.9/zipfile.py", line 1257, in __init__ self._RealGetContents() File "/usr/lib/python3.9/zipfile.py", line 1342, in _RealGetContents fp.seek(self.start_dir, 0) ValueError: cannot fit 'int' into an offset-sized integer $ ``` > It's unlikely that anyone will download a binary from bpo and open it. Can > you help us reproduce the issue without that? The *binary* is a corrupted zip file to open with `zipfile.ZipFile()`, it can't be executed on its own. -- status: pending -> open ___ Python tracker <https://bugs.python.org/issue39064> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39039] zlib.error with tarfile.open
jvoisin added the comment: The file was created with a fuzzer, like the one described in https://dustri.org/b/fuzzing-python-in-python-and-doing-it-fast.html -- ___ Python tracker <https://bugs.python.org/issue39039> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39017] Infinite loop in the tarfile module
New submission from jvoisin :
While playing with fuzzing and Python, I stumbled upon an infinite loop in
Python's tarfile module: just open the attached file with
`tarfile.open('timeout-a52710a313fdb35fb428c3399277cb640fe2f686')`, and Python
will be endlessly stuck in the `_proc_pax` function in tarfile.py, likely due
to a missing check of `length` being strictly superior to zero.
--
files: timeout-a52710a313fdb35fb428c3399277cb640fe2f686
messages: 358200
nosy: ethan.furman, jvoisin
priority: normal
severity: normal
status: open
title: Infinite loop in the tarfile module
type: security
versions: Python 3.7
Added file:
https://bugs.python.org/file48768/timeout-a52710a313fdb35fb428c3399277cb640fe2f686
___
Python tracker
<https://bugs.python.org/issue39017>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39018] IndexError exception on corrupted zip file
New submission from jvoisin :
The attached file raises an `IndexError: tuple index out of range` exception
when trying to open it with
`zipfile.Zipfile('crash-23b7d72644702df94bfcfaab4c25b01ff31c0b38')`, with the
following stacktrace:
```
$ cat test_zip.py
import zipfile
import sys
with zipfile.ZipFile(sys.argv[1]) as f:
pass
$ python3 ./test_zip.py ./crash-23b7d72644702df94bfcfaab4c25b01ff31c0b38
Traceback (most recent call last):
File "./test_zip.py", line 4, in
with zipfile.ZipFile(sys.argv[1]) as f:
File "/usr/lib/python3.7/zipfile.py", line 1225, in __init__
self._RealGetContents()
File "/usr/lib/python3.7/zipfile.py", line 1348, in _RealGetContents
x._decodeExtra()
File "/usr/lib/python3.7/zipfile.py", line 480, in _decodeExtra
self.file_size = counts[idx]
IndexError: tuple index out of range
$
```
The zipfile documentation doesn't mention that IndexError is a possible
exception for this method.
--
components: Library (Lib)
files: crash-23b7d72644702df94bfcfaab4c25b01ff31c0b38
messages: 358202
nosy: jvoisin
priority: normal
severity: normal
status: open
title: IndexError exception on corrupted zip file
type: behavior
versions: Python 3.7
Added file:
https://bugs.python.org/file48769/crash-23b7d72644702df94bfcfaab4c25b01ff31c0b38
___
Python tracker
<https://bugs.python.org/issue39018>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39038] OverflowError in tarfile.open
New submission from jvoisin : The attached file produces the following stacktrace when opened via `tarfile.open`, on Python 3.7.5rc1: ``` $ cat test.py import sys import tarfile tarfile.open(sys.argv[1]) $ python3 test.py ./crash-83a6e7d4b810c6a0bd4fd9dfd6a0b36550034ccf Traceback (most recent call last): File "test.py", line 4, in tarfile.open(sys.argv[1]) File "/usr/lib/python3.7/tarfile.py", line 1573, in open return func(name, "r", fileobj, **kwargs) File "/usr/lib/python3.7/tarfile.py", line 1645, in gzopen t = cls.taropen(name, mode, fileobj, **kwargs) File "/usr/lib/python3.7/tarfile.py", line 1621, in taropen return cls(name, mode, fileobj, **kwargs) File "/usr/lib/python3.7/tarfile.py", line 1484, in __init__ self.firstmember = self.next() File "/usr/lib/python3.7/tarfile.py", line 2289, in next tarinfo = self.tarinfo.fromtarfile(self) File "/usr/lib/python3.7/tarfile.py", line 1097, in fromtarfile return obj._proc_member(tarfile) File "/usr/lib/python3.7/tarfile.py", line 1119, in _proc_member return self._proc_pax(tarfile) File "/usr/lib/python3.7/tarfile.py", line 1230, in _proc_pax match = regex.match(buf, pos) OverflowError: Python int too large to convert to C ssize ``` -- components: Library (Lib) files: crash-83a6e7d4b810c6a0bd4fd9dfd6a0b36550034ccf messages: 358336 nosy: jvoisin priority: normal severity: normal status: open title: OverflowError in tarfile.open type: behavior versions: Python 3.7 Added file: https://bugs.python.org/file48773/crash-83a6e7d4b810c6a0bd4fd9dfd6a0b36550034ccf ___ Python tracker <https://bugs.python.org/issue39038> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39039] zlib.error with tarfile.open
New submission from jvoisin : The attached file produces the following stacktrace when opened via `tarfile.open`, on Python 3.7.5rc1: ``` $ cat test.py import sys import tarfile tarfile.open(sys.argv[1]) $ python3 test.py ./crash-c10c9839d987fa0df6912cb4084f43f3ce08ca82 Traceback (most recent call last): File "test.py", line 4, in tarfile.open(sys.argv[1]) File "/usr/lib/python3.7/tarfile.py", line 1573, in open return func(name, "r", fileobj, **kwargs) File "/usr/lib/python3.7/tarfile.py", line 1645, in gzopen t = cls.taropen(name, mode, fileobj, **kwargs) File "/usr/lib/python3.7/tarfile.py", line 1621, in taropen return cls(name, mode, fileobj, **kwargs) File "/usr/lib/python3.7/tarfile.py", line 1484, in __init__ self.firstmember = self.next() File "/usr/lib/python3.7/tarfile.py", line 2289, in next tarinfo = self.tarinfo.fromtarfile(self) File "/usr/lib/python3.7/tarfile.py", line 1094, in fromtarfile buf = tarfile.fileobj.read(BLOCKSIZE) File "/usr/lib/python3.7/gzip.py", line 276, in read return self._buffer.read(size) File "/usr/lib/python3.7/_compression.py", line 68, in readinto data = self.read(len(byte_view)) File "/usr/lib/python3.7/gzip.py", line 471, in read uncompress = self._decompressor.decompress(buf, size) zlib.error: Error -3 while decompressing data: invalid distances se ``` -- components: Library (Lib) files: crash-c10c9839d987fa0df6912cb4084f43f3ce08ca82 messages: 358337 nosy: jvoisin priority: normal severity: normal status: open title: zlib.error with tarfile.open type: behavior versions: Python 3.7 Added file: https://bugs.python.org/file48774/crash-c10c9839d987fa0df6912cb4084f43f3ce08ca82 ___ Python tracker <https://bugs.python.org/issue39039> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39039] zlib.error with tarfile.open
jvoisin added the comment: Sure, but as a user, I would expect a better exception, like ValueError or ReadError, along with an error message, instead of an unexpected zlib exception. -- ___ Python tracker <https://bugs.python.org/issue39039> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39062] ValueError in TarFile.getmembers
New submission from jvoisin : The attached file produces the following stacktrace when opened via `tarfile.open` and iterated with `TarFile.getmembers`, on Python 3.7.5rc1: ``` $ cat tarrepro.py import tarfile import sys with tarfile.open(sys.argv[1]) as t: for member in t.getmembers(): pass ``` ``` $ python3 tarrepro.py crash-7221297307ab37ac87be6ea6dd9b28d4d453c557aa3da8a2138ab98e015cd42a Traceback (most recent call last): File "tarrepro.py", line 5, in for member in t.getmembers(): File "/usr/lib/python3.7/tarfile.py", line 1763, in getmembers self._load()# all members, we first have to File "/usr/lib/python3.7/tarfile.py", line 2350, in _load tarinfo = self.next() File "/usr/lib/python3.7/tarfile.py", line 2281, in next self.fileobj.seek(self.offset - 1) ValueError: cannot fit 'int' into an offset-sized integer ``` This file isn't a valid tar file, it was created by a fuzzer. -- components: Library (Lib) files: crash-7221297307ab37ac87be6ea6dd9b28d4d453c557aa3da8a2138ab98e015cd42a messages: 358472 nosy: jvoisin priority: normal severity: normal status: open title: ValueError in TarFile.getmembers type: behavior versions: Python 3.7 Added file: https://bugs.python.org/file48781/crash-7221297307ab37ac87be6ea6dd9b28d4d453c557aa3da8a2138ab98e015cd42a ___ Python tracker <https://bugs.python.org/issue39062> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39064] ValueError in zipfile.ZipFile
New submission from jvoisin : The attached file produces the following stacktrace when opened via `zipfile.ZipFile`, on Python 3.7.5rc1: ``` $ cat ziprepro.py import zipfile import sys zipfile.ZipFile(sys.argv[1]) ``` ``` $ python3 ziprepro.py crash-4da08e9ababa495ac51ecad588fd61081a66b5bb6e7a0e791f44907fa274ec62 Traceback (most recent call last): File "ziprepro.py", line 4, in zipfile.ZipFile(sys.argv[1]) File "/usr/lib/python3.7/zipfile.py", line 1225, in __init__ self._RealGetContents() File "/usr/lib/python3.7/zipfile.py", line 1310, in _RealGetContents fp.seek(self.start_dir, 0) ValueError: cannot fit 'int' into an offset-sized integer ``` The ValueError exception isn't documented as a possible exception when using zipfile.ZipFile ( https://docs.python.org/3/library/tarfile.html ). -- components: Library (Lib) files: crash-4da08e9ababa495ac51ecad588fd61081a66b5bb6e7a0e791f44907fa274ec62 messages: 358484 nosy: jvoisin priority: normal severity: normal status: open title: ValueError in zipfile.ZipFile type: behavior versions: Python 3.7 Added file: https://bugs.python.org/file48782/crash-4da08e9ababa495ac51ecad588fd61081a66b5bb6e7a0e791f44907fa274ec62 ___ Python tracker <https://bugs.python.org/issue39064> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39065] OSError in TarFile.getmembers()
New submission from jvoisin : The attached file produces the following stacktrace when opened via `tarfile.open` and iterated with `TarFile.getmembers`, on Python 3.7.5rc1: ``` $ cat tarrepro.py import tarfile import sys with tarfile.open(sys.argv[1]) as t: for member in t.getmembers(): pass ``` ``` $ python3 tarrepro.py crash-462a00f845e737bff6df2fe6467fc7cdd4c39cd8e27ef1d3011ec68a9808ca8e Traceback (most recent call last): File "tarrepro.py", line 5, in for member in t.getmembers(): File "/usr/lib/python3.7/tarfile.py", line 1763, in getmembers self._load()# all members, we first have to File "/usr/lib/python3.7/tarfile.py", line 2350, in _load tarinfo = self.next() File "/usr/lib/python3.7/tarfile.py", line 2281, in next self.fileobj.seek(self.offset - 1) File "/usr/lib/python3.7/gzip.py", line 368, in seek return self._buffer.seek(offset, whence) File "/usr/lib/python3.7/_compression.py", line 143, in seek data = self.read(min(io.DEFAULT_BUFFER_SIZE, offset)) File "/usr/lib/python3.7/gzip.py", line 454, in read self._read_eof() File "/usr/lib/python3.7/gzip.py", line 501, in _read_eof hex(self._crc))) OSError: CRC check failed 0x21e25017 != 0x7c839e8b ``` The OSError exception isn't documented as a possible exception when using TarFile.getmembers ( https://docs.python.org/3/library/tarfile.html ). -- components: Library (Lib) files: crash-462a00f845e737bff6df2fe6467fc7cdd4c39cd8e27ef1d3011ec68a9808ca8e messages: 358485 nosy: jvoisin priority: normal severity: normal status: open title: OSError in TarFile.getmembers() type: behavior versions: Python 3.7 Added file: https://bugs.python.org/file48783/crash-462a00f845e737bff6df2fe6467fc7cdd4c39cd8e27ef1d3011ec68a9808ca8e ___ Python tracker <https://bugs.python.org/issue39065> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39067] EOFError in tarfile.open
New submission from jvoisin :
The attached file produces the following stacktrace when opened via
`tarfile.open`, on Python 3.7.5rc1:
```
$ cat tarrepro.py
import tarfile
import sys
with tarfile.open(sys.argv[1], errorlevel=2) as t:
for member in t.getmembers():
pass
$
```
```
$ python3 tarrepro.py
crash-f4032ed3c7c2ae59a8f4424e0e73ce8b11ad3ef90155b008968f5b1b08499bc4
Traceback (most recent call last):
File "tarrepro.py", line 4, in
with tarfile.open(sys.argv[1], errorlevel=2) as t:
File "/usr/lib/python3.7/tarfile.py", line 1574, in open
return func(name, "r", fileobj, **kwargs)
File "/usr/lib/python3.7/tarfile.py", line 1646, in gzopen
t = cls.taropen(name, mode, fileobj, **kwargs)
File "/usr/lib/python3.7/tarfile.py", line 1622, in taropen
return cls(name, mode, fileobj, **kwargs)
File "/usr/lib/python3.7/tarfile.py", line 1485, in __init__
self.firstmember = self.next()
File "/usr/lib/python3.7/tarfile.py", line 2290, in next
tarinfo = self.tarinfo.fromtarfile(self)
File "/usr/lib/python3.7/tarfile.py", line 1094, in fromtarfile
buf = tarfile.fileobj.read(BLOCKSIZE)
File "/usr/lib/python3.7/gzip.py", line 276, in read
return self._buffer.read(size)
File "/usr/lib/python3.7/_compression.py", line 68, in readinto
data = self.read(len(byte_view))
File "/usr/lib/python3.7/gzip.py", line 463, in read
if not self._read_gzip_header():
File "/usr/lib/python3.7/gzip.py", line 421, in _read_gzip_header
self._read_exact(extra_len)
File "/usr/lib/python3.7/gzip.py", line 400, in _read_exact
raise EOFError("Compressed file ended before the "
EOFError: Compressed file ended before the end-of-stream marker was reached
```
--
components: Library (Lib)
files: crash-f4032ed3c7c2ae59a8f4424e0e73ce8b11ad3ef90155b008968f5b1b08499bc4
messages: 358490
nosy: jvoisin
priority: normal
severity: normal
status: open
title: EOFError in tarfile.open
type: behavior
versions: Python 3.7
Added file:
https://bugs.python.org/file48784/crash-f4032ed3c7c2ae59a8f4424e0e73ce8b11ad3ef90155b008968f5b1b08499bc4
___
Python tracker
<https://bugs.python.org/issue39067>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39067] EOFError in tarfile.open
jvoisin added the comment: Unfortunately, the documentation ( https://docs.python.org/3/library/tarfile.html) doesn't mention that EOFError is an exception that could be raised when using tarfile.open :/ -- ___ Python tracker <https://bugs.python.org/issue39067> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39067] EOFError in tarfile.open
jvoisin added the comment: Does it means that the right™ way to process untrusted tar files is to wrap every call to functions from tarfile.py in a `try: … except Exception:` block? -- ___ Python tracker <https://bugs.python.org/issue39067> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39062] ValueError in TarFile.getmembers
jvoisin added the comment: Raising an except is ok, if it's documented, so I know which ones I should catch to prevent my program to quit when processing untrusted files, without having to catch `Exception`. Reliability is important in my use-case as well, not only exploitable memory-corruption issues. I'll try to reproduce future issues on more recent Python versions before reporting them :) -- ___ Python tracker <https://bugs.python.org/issue39062> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue39017] Infinite loop in the tarfile module
jvoisin added the comment: CVE-2019-20907 has been assigned to this issue. -- ___ Python tracker <https://bugs.python.org/issue39017> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
