[issue20078] zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips
Roundup Robot added the comment: New changeset 0cf1defd5ac4 by Serhiy Storchaka in branch '3.3': Issue #20078: Reading malformed zipfiles no longer hangs with 100% CPU http://hg.python.org/cpython/rev/0cf1defd5ac4 New changeset 79ea4ce431b1 by Serhiy Storchaka in branch 'default': Issue #20078: Reading malformed zipfiles no longer hangs with 100% CPU http://hg.python.org/cpython/rev/79ea4ce431b1 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20078] zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips
Serhiy Storchaka added the comment: Thank you Nandiya for your report. -- resolution: - fixed stage: patch review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20078] zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips
Serhiy Storchaka added the comment: Looks as 2.7 is not affected. If there are no objections I will commit this patch tomorrow. -- versions: -Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20078] zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips
Serhiy Storchaka added the comment: Here is a patch with tests for all supported compression types. -- keywords: +patch stage: needs patch - patch review Added file: http://bugs.python.org/file33309/zipfile_eof.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20078] zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips
Changes by Serhiy Storchaka storch...@gmail.com: -- assignee: - serhiy.storchaka nosy: +serhiy.storchaka stage: - needs patch versions: +Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20078] zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips
Changes by Ronald Oussoren ronaldousso...@mac.com: -- nosy: +ronaldoussoren ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20078] zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips
Changes by Chris Rebert pyb...@rebertia.com: -- nosy: +cvrebert ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20078] zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips
New submission from Nandiya: I am using the zipfile module on a webserver which provides a service which processes files in zips uploaded by users, while hardening against zip bombs, I tried binary editing a zip to put in false file size information. The result is interesting, when with a ZIP_STORED file, or with carefully crafted ZIP_DEFLATED file (and perhaps ZIP_BZIP2 and ZIP_LZMA for craftier hackers than I), when the stated file size exceeds the size of the archive itself, ZipExtFile.read goes into an infinite loop, consuming 100% CPU. The following methods on such an archive all result in an infinite loop: ZipExtFile.read ZipExtFile.read(n) ZipExtFile.readlines ZipFile.extract ZipFile.extractall ZipExtFile.read1 silently returns corrupt data but does not hang. Obviously the module doesn't need to bend over backwards to deal gracefully with deliberately and maliciously crafted input, since all the user hopes for is to bring the program crashing down, but the 100% CPU infinite loop is probably one of the less satisfactory possible failure modes. It should either raise an exception or do something like read1 and silently return corrupt data. This is low priority except for security since unless a zip is maliciously crafted some kind of exception will almost certainly be raised due to a decompression or invalid zip exception. -- components: IO, Library (Lib) files: malzip.py messages: 206978 nosy: nandiya priority: normal severity: normal status: open title: zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips type: security versions: Python 2.7, Python 3.3 Added file: http://bugs.python.org/file33277/malzip.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
