Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
python3.35632
CVE-2019-9674-zip-bomb.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-9674-zip-bomb.patch of Package python3.35632
From 2ead5a8d9dac3b6e4fac6406eb03378bec5819ec Mon Sep 17 00:00:00 2001 From: nick sung <sungboss2004@gmail.com> Date: Fri, 17 May 2019 15:45:31 +0800 Subject: [PATCH] [CVE-2019-9674] improve documentation warning against the possible zip bombs We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst. file This gave us the idea of documentation improvement. So, we moved a little bit forward :P And the doc patch can be found (pr). Fixes: bsc#1162825 Patch: CVE-2019-9674-zip-bomb.patch --- Doc/library/zipfile.rst | 42 +++++++++++++++++++ .../2019-06-04-09-29-00.bpo-36260.WrGuc-.rst | 1 + 2 files changed, 43 insertions(+) create mode 100644 Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst index 591def2d089..369d8e7d4e5 100644 --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -706,5 +706,47 @@ Command-line options Test whether the zipfile is valid or not. +Decompression pitfalls +---------------------- + +The extraction in zipfile module might fail due to some pitfalls +listed below. + +From file itself +~~~~~~~~~~~~~~~~ + +Decompression may fail due to incorrect password / CRC checksum +/ ZIP format or unsupported compression method / decryption. + +File System limitations +~~~~~~~~~~~~~~~~~~~~~~~ + +Exceeding limitations on different file systems can cause +decompression failed. Such as allowable characters in the +directory entries, length of the file name, length of the +pathname, size of a single file, and number of files, etc. + +Resources limitations +~~~~~~~~~~~~~~~~~~~~~ + +The lack of memory or disk volume would lead to decompression +failed. For example, decompression bombs (aka `ZIP bomb`_) apply +to zipfile library that can cause disk volume exhaustion. + +Interruption +~~~~~~~~~~~~ + +Interruption during the decompression, such as pressing control-C +or killing the decompression process may result in incomplete +decompression of the archive. + +Default behaviors of extraction +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Not knowing the default extraction behaviors can cause unexpected +decompression results. For example, when extracting the same +archive twice, it overwrites files without asking. + +.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT diff --git a/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst new file mode 100644 index 00000000000..9276516a882 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst @@ -0,0 +1 @@ +Add decompression pitfalls to zipfile module documentation. \ No newline at end of file -- 2.45.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor