-
-
Notifications
You must be signed in to change notification settings - Fork 30.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malformed payload can lead to infinite loops in zipfile.Path #122905
Labels
Comments
jaraco
added
type-bug
An unexpected behavior, bug, or error
type-security
A security issue
labels
Aug 11, 2024
jaraco
added a commit
to jaraco/cpython
that referenced
this issue
Aug 11, 2024
Closes python#122905; Ported from zipp 3.19.1; ref jaraco/zipp#119.
This was referenced Aug 11, 2024
jaraco
added a commit
that referenced
this issue
Aug 11, 2024
Ported from zipp 3.19.1; ref jaraco/zipp#119.
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Aug 11, 2024
Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Aug 11, 2024
Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
This was referenced Aug 11, 2024
jaraco
added a commit
to jaraco/cpython
that referenced
this issue
Aug 12, 2024
Ported from zipp 3.19.1; ref jaraco/zipp#119. (cherry picked from commit 9cd0326)
jaraco
added a commit
to jaraco/cpython
that referenced
this issue
Aug 12, 2024
) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
jaraco
pushed a commit
that referenced
this issue
Aug 12, 2024
jaraco
pushed a commit
that referenced
this issue
Aug 12, 2024
pablogsal
pushed a commit
that referenced
this issue
Aug 19, 2024
* gh-122905: Sanitize names in zipfile.Path. (#122906) Ported from zipp 3.19.1; ref jaraco/zipp#119. (cherry picked from commit 9cd0326) * [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
jaraco
added a commit
to jaraco/cpython
that referenced
this issue
Aug 19, 2024
…nGH-122906) (pythonGH-122925) * pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) * [3.11] pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) (cherry picked from commit 795f259) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
jaraco
added a commit
to jaraco/cpython
that referenced
this issue
Aug 19, 2024
…GH-122906) (pythonGH-122925) * pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) * [3.11] pythongh-122905: Sanitize names in zipfile.Path. (pythonGH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) (cherry picked from commit 795f259) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
This was referenced Aug 19, 2024
blhsing
pushed a commit
to blhsing/cpython
that referenced
this issue
Aug 22, 2024
Ported from zipp 3.19.1; ref jaraco/zipp#119.
I provided some additional analysis here: https://www.openwall.com/lists/oss-security/2024/08/22/4 Also, the CVE and security announcement mistakenly say this affects methods of |
pablogsal
pushed a commit
that referenced
this issue
Aug 22, 2024
[3.10] [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (GH-122925) * gh-122905: Sanitize names in zipfile.Path. (GH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) * [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd0326) (cherry picked from commit 795f259)
algitbot
pushed a commit
to alpinelinux/aports
that referenced
this issue
Aug 23, 2024
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip archive entry names. - python/cpython#122905 - https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
algitbot
pushed a commit
to alpinelinux/aports
that referenced
this issue
Aug 23, 2024
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip archive entry names. - python/cpython#122905 - https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
algitbot
pushed a commit
to alpinelinux/aports
that referenced
this issue
Aug 23, 2024
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip archive entry names. - python/cpython#122905 - https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
stratakis
pushed a commit
to stratakis/cpython
that referenced
this issue
Aug 23, 2024
stratakis
pushed a commit
to stratakis/cpython
that referenced
this issue
Aug 23, 2024
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
stratakis
pushed a commit
to stratakis/cpython
that referenced
this issue
Aug 23, 2024
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
bell-sw
pushed a commit
to bell-sw/alpaquita-aports
that referenced
this issue
Aug 23, 2024
[ commit be30c12bfd365f7f008f53c6c1031560ef019bf1 ] Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip archive entry names. - python/cpython#122905 - https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
algitbot
pushed a commit
to alpinelinux/aports
that referenced
this issue
Aug 27, 2024
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip archive entry names. - python/cpython#122905 - https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
algitbot
pushed a commit
to alpinelinux/aports
that referenced
this issue
Aug 27, 2024
Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip archive entry names. - python/cpython#122905 - https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
hroncok
pushed a commit
to fedora-python/cpython
that referenced
this issue
Aug 28, 2024
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As reported in jaraco/zipp#119, malformed paths in a zipfile can lead to undesirable behaviors (infinite loops) when traversed using zipfile.Path.
This issue tracks porting that fix to CPython.
Linked PRs
The text was updated successfully, but these errors were encountered: