[New-bugs-announce] [issue36462] CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py
JUN-WEI SONG
report at bugs.python.org
Thu Mar 28 11:46:11 EDT 2019
New submission from JUN-WEI SONG <sungboss2004 at gmail.com>:
Dear Python Community,
we found a python module vulnerability during these days and we got a CVE number, CVE-2019-9674 after reported it to cve.mitre.org.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674
The reserved information of CVE-2019-9674 is shown below:
[Description]
Lib/zipfile.py in Python through 3.7.2 allows remote
attackers to cause a denial of service (resource consumption)
via a ZIP bomb.
[Additional Information]
The python zipfile library version 3.2, 3.3, 3.4, 3.5, 3.6,
3.7, 3.8. Allow attackers to cause a denial of service (disk
volume exhaustion) via a ZIP bomb.
We have found python standard library zipfile doesn't have
ZIP bomb detection and protection. If the user uses zipfile
library to unzip a ZIP bomb file, this might cause a denial
of service of the localhost.
[VulnerabilityType Other]
Denial-of-Service
Our proposed solutions:
1.The compression ratio:
Compression ratio = Uncompressed file size / Compressed file size
Since ZIP bomb file has a higher compression ratio (1028) than
normal ZIP file (1 to 3). Therefore, we calculate the compression
ratio and set a threshold for the detection.
2.Nested zip file
There is a high chance that it is zip bomb if it is a nested zip
file.
3.By limiting resources such as CPU, memory, disk usage.
Unsolved issue
However, we have not yet determined the compression ratio. We
temporarily set the compression ratio to 10, and if it exceeds, it
may be a ZIP bomb.
It is likely that detection may misjudge nested compressed files.
For example, under normal circumstances, compressed files are
included in the zip file.
Our solution code:
"""For ratio"""
def _exam_ratio(self, threshold=10):
"""If the ratio exceeds threshold, it may be a ZIP Bomb."""
sum_file_size = sum([data.file_size for data in self.filelist])
sum_compress_size = sum([data.compress_size for data in self.filelist])
ratio = sum_file_size / sum_compress_size
if (ratio > threshold):
raise BadZipFile("Zip Bomb Detected")
"""For Nested zip file"""
if(members.filename.endswith(".zip")):
raise BadZipFile("Nested Zip File Detected")
Thanks!
----------
components: Library (Lib)
messages: 339053
nosy: krnick
priority: normal
severity: normal
status: open
title: CVE-2019-9674 : zip bomb vulnerability in Lib/zipfile.py
type: security
versions: Python 3.5, Python 3.6, Python 3.7, Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36462>
_______________________________________
More information about the New-bugs-announce
mailing list