subject:"\[issue39341\] \[security\] zipfile\: ZIP Bomb vulnerability, don't check announced uncompressed size"

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

2020-02-09 Thread STINNER Victor

STINNER Victor added the comment: I close this issue as a duplicate of bpo-36260. -- resolution: -> duplicate stage: -> resolved status: open -> closed superseder: -> [security] CVE-2019-9674: Zip Bomb vulnerability ___ Python tracker

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

2020-01-15 Thread STINNER Victor

STINNER Victor added the comment: > Is this 2.7 only issue? I think it is too late. I vaguely recall that Christian Heimes wrote something about Python 3 in a private email, but I cannot find this email anymore :-p In case of doubt, I marked Python 3 as affected as well. --

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

2020-01-15 Thread Serhiy Storchaka

Serhiy Storchaka added the comment: Is this 2.7 only issue? I think it is too late. -- ___ Python tracker ___ ___ Python-bugs-list

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

2020-01-15 Thread Karthikeyan Singaravelan

Karthikeyan Singaravelan added the comment: See also some discussion on regarding this class of vulnerability : https://bugs.python.org/issue36260 -- nosy: +serhiy.storchaka, xtreak ___ Python tracker

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

2020-01-15 Thread STINNER Victor

STINNER Victor added the comment: Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching zipfile.py)? The zipfile documentation now contains an explicit warning against ZIP bombs: """

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

2020-01-15 Thread STINNER Victor

STINNER Victor added the comment: Amit Laish reported the exact same vulnerability to rubyzip and they released a fix for it, CVE-2019-16892. -- ___ Python tracker ___

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

2020-01-15 Thread STINNER Victor

Change by STINNER Victor : -- nosy: +christian.heimes, rschiron title: zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size -> [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size ___ Python

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

[issue39341] [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size

7 matches

Site Navigation

Mail list logo

Footer information