[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py

2019-03-28 Thread JUN-WEI SONG
JUN-WEI SONG added the comment: Thanks to the python community, both of these issues are the same. I also think it's a good thing to make related documentation to reduce this type of problem rather than implementing it on a low-level zipfile module. Perhaps we can customize such a requiremen

[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py

2019-03-28 Thread Brett Cannon
Brett Cannon added the comment: You can also leave a comment in the other issue saying there's more details in the closed duplicate. On Thu, Mar 28, 2019 at 9:54 AM Karthikeyan Singaravelan < rep...@bugs.python.org> wrote: > > Karthikeyan Singaravelan added the comment: > > I would request c

[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py

2019-03-28 Thread Karthikeyan Singaravelan
Karthikeyan Singaravelan added the comment: I would request closing the other one as duplicate and opening this since this contains the actual report or perhaps the report could be copied to issue36260. Since Serhiy suggested closing this as not a bug I will leave it to him on resolution of

[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py

2019-03-28 Thread Brett Cannon
Brett Cannon added the comment: Closing as a duplicate of issue36260. -- nosy: +brett.cannon resolution: -> duplicate stage: -> resolved status: open -> closed superseder: -> Cpython/Lib vulnerability found and request a patch submission ___ Pyth

[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py

2019-03-28 Thread Karthikeyan Singaravelan
Karthikeyan Singaravelan added the comment: Going by CVE number and report is this a duplicate of issue36260 ? -- nosy: +xtreak ___ Python tracker ___

[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py

2019-03-28 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: I do not think that the library should limit the compression ratio. Large compression ratio is legit. For example, compressed file of size 1 GiB consisting of zeros has the compress ratio 1030 (and I suppose it is even larger if use bzip2 or lzma compressi

[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py

2019-03-28 Thread Stéphane Wirtel
Change by Stéphane Wirtel : -- nosy: +serhiy.storchaka, twouters ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe

[issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py

2019-03-28 Thread JUN-WEI SONG
New submission from JUN-WEI SONG : Dear Python Community, we found a python module vulnerability during these days and we got a CVE number, CVE-2019-9674 after reported it to cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674 The reserved information of CVE-2019-967