File CVE-2019-9674-zip-bomb.patch of Package python3

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-9674-zip-bomb.patch of Package python3

From 2ead5a8d9dac3b6e4fac6406eb03378bec5819ec Mon Sep 17 00:00:00 2001
From: nick sung <sungboss2004@gmail.com>
Date: Fri, 17 May 2019 15:45:31 +0800
Subject: [PATCH] [CVE-2019-9674] improve documentation warning against the
 possible zip bombs

We saw vulnerability warning description (including zip bomb) in
Doc/library/xml.rst. file This gave us the idea of documentation
improvement.

So, we moved a little bit forward :P
And the doc patch can be found (pr).

Fixes: bsc#1162825
Patch: CVE-2019-9674-zip-bomb.patch
---
 Doc/library/zipfile.rst                       | 42 +++++++++++++++++++
 .../2019-06-04-09-29-00.bpo-36260.WrGuc-.rst  |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst

diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
index 591def2d089..369d8e7d4e5 100644
--- a/Doc/library/zipfile.rst
+++ b/Doc/library/zipfile.rst
@@ -706,5 +706,47 @@ Command-line options
 
    Test whether the zipfile is valid or not.
 
+Decompression pitfalls
+----------------------
+
+The extraction in zipfile module might fail due to some pitfalls
+listed below.
+
+From file itself
+~~~~~~~~~~~~~~~~
+
+Decompression may fail due to incorrect password / CRC checksum
+/ ZIP format or unsupported compression method / decryption.
+
+File System limitations
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Exceeding limitations on different file systems can cause
+decompression failed. Such as allowable characters in the
+directory entries, length of the file name, length of the
+pathname, size of a single file, and number of files, etc.
+
+Resources limitations
+~~~~~~~~~~~~~~~~~~~~~
+
+The lack of memory or disk volume would lead to decompression
+failed. For example, decompression bombs (aka `ZIP bomb`_) apply
+to zipfile library that can cause disk volume exhaustion.
+
+Interruption
+~~~~~~~~~~~~
+
+Interruption during the decompression, such as pressing control-C
+or killing the decompression process may result in incomplete
+decompression of the archive.
+
+Default behaviors of extraction
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Not knowing the default extraction behaviors can cause unexpected
+decompression results. For example, when extracting the same
+archive twice, it overwrites files without asking.
+
 
+.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
 .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
diff --git a/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
new file mode 100644
index 00000000000..9276516a882
--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
@@ -0,0 +1 @@
+Add decompression pitfalls to zipfile module documentation.
\ No newline at end of file
-- 
2.45.0

Places

File CVE-2019-9674-zip-bomb.patch of Package python3

Places