[security] CVE-2019-9674: Zip Bomb vulnerability

[krnick]

BPO	36260
Nosy	@jaraco, @vstinner, @tiran, @serhiy-storchaka, @18z, @tirkarthi, @krnick, @sidra-asa
PRs	bpo-36260: Add pitfalls to zipfile module documentation #13378 [3.8] bpo-36260: Add pitfalls to zipfile module documentation (GH-13378) #15976

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2019-09-11.15:04:49.599>
created_at = <Date 2019-03-11.07:16:58.724>
labels = ['type-security', '3.8', '3.7', 'library']
title = '[security] CVE-2019-9674: Zip Bomb vulnerability'
updated_at = <Date 2020-02-10.07:59:41.779>
user = 'https://github.com/krnick'

bugs.python.org fields:

activity = <Date 2020-02-10.07:59:41.779>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2019-09-11.15:04:49.599>
closer = 'jaraco'
components = ['Library (Lib)']
creation = <Date 2019-03-11.07:16:58.724>
creator = 'krnick'
dependencies = []
files = []
hgrepos = []
issue_num = 36260
keywords = ['patch']
message_count = 19.0
messages = ['337650', '337651', '337652', '337835', '339061', '339062', '339083', '339084', '339087', '339316', '339329', '339406', '339408', '339587', '341256', '342693', '351921', '351964', '361673']
nosy_count = 8.0
nosy_names = ['jaraco', 'vstinner', 'christian.heimes', 'serhiy.storchaka', '18z', 'xtreak', 'krnick', 'Victor Kung']
pr_nums = ['13378', '15976']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue36260'
versions = ['Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8']

[krnick]

Dear Python Community,

We’ve found a vulnerability in cpython Lib and already received a cve number (CVE-2019-9674)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674

We also have a patch for this vulnerability, please tell us what to do next.
Since we don’t want to uncover the vulnerability before it get fixed.

JUN-WEI SONG

[18z]

Dear community,

I am one of the discoverer of this vulnerability, please tell us what to do next :D

Kunyu Chen

[tirkarthi]

You can find the process to report security vulnerabilities at https://www.python.org/news/security/ . Please email the details to security@python.org and who will analyze the report before public disclosure.

[18z]

Thank you Karthikeyan Singaravelan.
We're working on it :D

Kunyu Chen

[tiran]

Issue bpo-36462 contains more information. The reporter claims that the zipfile module is inherent insecure because it does not provide any heuristics to make zipbomb attacks harder.

I'm -1 to implement such a heuristic. The zipfile module is a low level module and should not limit extraction by defaykt. Instead we should improve documentation and maybe implement some method that simplifies detection of zipbomb attacks. I'm thinking about a method that returns total count of files, total compressed size and total uncompressed size.

[serhiy-storchaka]

All these are simple one-liners:

    len(zf.infolist())
    sum(zi.compress_size for zi in zf.infolist())
    sum(zi.file_size for zi in zf.infolist())

[krnick]

Thank you python community, these two issues are indeed the same problem.

I also think that it is good to make a related document to reduce such problems.

[krnick]

Thank you python community, these two issues are indeed the same problem.

I also think that it is good to make a related document to reduce such problems.

[18z]

Thank you for the responses.

I agree with Christian Heimes.

It's indeed better to improve the documentation rather than directly implement the heuristic.

[krnick]

Hello Python community,

With Christian Heimes’ suggestion, we manipulate appropriate warning to inform users that they may encounter zip bomb issues when using the zipfile module.

The warning we would like to add in the zipfile documentation is shown below :

https://github.com/python/cpython/blob/3.7/Doc/library/zipfile.rst

.. warning::

Never extract files from untrusted sources without prior 
inspection. It is possible that the file may contain zip bomb 
issues such as 42.zip. The zip bomb will usually be a small file 
before decompression, but once it is decompressed, it will 
exhaust system resources.

You can protect your system by limiting system resources, limiting compression ratio (zip bombs are usually quite high), and checking for nested zip files.

We are also pleasure to provide a patch to enhance the zipfile module to provide basic information.

In zipfile.py

https://github.com/python/cpython/blob/master/Lib/zipfile.py

Inside the ZipFile class :

def filecount(self):                                                                                         
    """Return total count of files in the archive."""                                                        
    return len(self.filelist)                                                                                
                                                                                                                 
def total_compressed_size(self):                                                                             
    """Return total compressed size in the archive."""                                                       
    return sum([data.compress_size for data in self.filelist])                                               
                                                                                                                 
def total_uncompressed_size(self):                                                                           
    """Return total uncompressed size in the archive."""                                                     
    return sum([data.file_size for data in self.filelist])