Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.2
python
CVE-2019-9674-zip-bomb.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-9674-zip-bomb.patch of Package python
From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001 From: nick sung <sungboss2004@gmail.com> Date: Fri, 17 May 2019 15:45:31 +0800 Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. This gave us the idea of documentation improvement. So, we moved a little bit forward :P And the doc patch can be found (pr). --- Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -553,5 +553,47 @@ Command-line options Test whether the zipfile is valid or not. +Decompression pitfalls +---------------------- +The extraction in zipfile module might fail due to some pitfalls +listed below. + +From file itself +~~~~~~~~~~~~~~~~ + +Decompression may fail due to incorrect password / CRC checksum +/ ZIP format or unsupported compression method / decryption. + +File System limitations +~~~~~~~~~~~~~~~~~~~~~~~ + +Exceeding limitations on different file systems can cause +decompression failed. Such as allowable characters in the +directory entries, length of the file name, length of the +pathname, size of a single file, and number of files, etc. + +Resources limitations +~~~~~~~~~~~~~~~~~~~~~ + +The lack of memory or disk volume would lead to decompression +failed. For example, decompression bombs (aka `ZIP bomb`_) apply +to zipfile library that can cause disk volume exhaustion. + +Interruption +~~~~~~~~~~~~ + +Interruption during the decompression, such as pressing control-C +or killing the decompression process may result in incomplete +decompression of the archive. + +Default behaviors of extraction +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Not knowing the default extraction behaviors can cause unexpected +decompression results. For example, when extracting the same +archive twice, it overwrites files without asking. + + +.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst @@ -0,0 +1 @@ +Add decompression pitfalls to zipfile module documentation. \ No newline at end of file
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor