Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python for openSUSE:Factory checked
in at 2024-05-21 18:34:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python (Old)
and /work/SRC/openSUSE:Factory/.python.new.1880 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python"
Tue May 21 18:34:28 2024 rev:196 rq:1175099 version:2.7.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/python/python-base.changes 2024-05-13
17:57:04.427690200 +0200
+++ /work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes
2024-05-21 18:34:41.618559359 +0200
@@ -1,0 +2,8 @@
+Sat May 18 15:49:07 UTC 2024 - Matej Cepl <mc...@suse.com>
+
+- bsc#1221854 (CVE-2024-0450) Add
+ CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
+ detecting the vulnerability of the "quoted-overlap" zipbomb
+ (from gh#python/cpython!110016).
+
+-------------------------------------------------------------------
@@ -7,0 +16,6 @@
+- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
+ removing failing test fixing bpo#3151, which we just not
+ support.
+- Remove patches over those embedded packages (cffi):
+ - python-2.7-libffi-aarch64.patch
+ - sparc_longdouble.patch
python-doc.changes: same change
python.changes: same change
Old:
----
_multibuild
python-2.7-libffi-aarch64.patch
sparc_longdouble.patch
New:
----
CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
BETA DEBUG BEGIN:
Old:/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes-- Remove
patches over those embedded packages (cffi):
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes: -
python-2.7-libffi-aarch64.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes- -
sparc_longdouble.patch
--
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes-- Remove patches
over those embedded packages (cffi):
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes: -
python-2.7-libffi-aarch64.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes- -
sparc_longdouble.patch
--
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes-- Remove patches
over those embedded packages (cffi):
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes: -
python-2.7-libffi-aarch64.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes- -
sparc_longdouble.patch
Old:/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes- -
python-2.7-libffi-aarch64.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes: -
sparc_longdouble.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes-
--
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes- -
python-2.7-libffi-aarch64.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes: -
sparc_longdouble.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes-
--
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes- -
python-2.7-libffi-aarch64.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes: -
sparc_longdouble.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes-
BETA DEBUG END:
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes-
(including expat).
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes:- Add
CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes- removing
failing test fixing bpo#3151, which we just not
--
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes- (including
expat).
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes:- Add
CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes- removing
failing test fixing bpo#3151, which we just not
--
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes- (including expat).
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes:- Add
CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes- removing failing
test fixing bpo#3151, which we just not
New:/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes--
bsc#1221854 (CVE-2024-0450) Add
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes:
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-base.changes- detecting the
vulnerability of the "quoted-overlap" zipbomb
--
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes-- bsc#1221854
(CVE-2024-0450) Add
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes:
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python-doc.changes- detecting the
vulnerability of the "quoted-overlap" zipbomb
--
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes-- bsc#1221854
(CVE-2024-0450) Add
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes:
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
/work/SRC/openSUSE:Factory/.python.new.1880/python.changes- detecting the
vulnerability of the "quoted-overlap" zipbomb
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-base.spec ++++++
--- /var/tmp/diff_new_pack.uZLfUe/_old 2024-05-21 18:34:43.374623193 +0200
+++ /var/tmp/diff_new_pack.uZLfUe/_new 2024-05-21 18:34:43.378623338 +0200
@@ -51,13 +51,10 @@
Patch5: python-2.7.4-canonicalize2.patch
Patch7: python-2.6-gettext-plurals.patch
Patch8: python-2.6b3-curses-panel.patch
-Patch10: sparc_longdouble.patch
Patch13: python-2.7.2-fix_date_time_compiler.patch
Patch17: remove-static-libpython.patch
# PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751
dims...@opensuse.org -- gettext: when looking in default_localedir also check
in locale-bundle.
Patch20: python-bundle-lang.patch
-# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64
-Patch22: python-2.7-libffi-aarch64.patch
Patch24: python-bsddb6.patch
# PATCH-FIX-UPSTREAM accept directory-based CA paths as well
Patch33: python-2.7.9-ssl_ca_path.patch
@@ -165,6 +162,12 @@
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
+# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
bpo#3151 mc...@suse.com
+# We don't have fix for bpo#3151 and it is just not supported
+Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
bsc#1221854 mc...@suse.com
+# detecting the vulnerability of the "quoted-overlap" zipbomb (from
gh#python/cpython!110016).
+Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -268,11 +271,9 @@
%patch -P 5 -p1
%patch -P 7 -p1
%patch -P 8 -p1
-%patch -P 10 -p1
%patch -P 13 -p1
%patch -P 17 -p1
%patch -P 20 -p1
-%patch -P 22 -p1
%patch -P 24 -p1
%patch -P 33 -p1
%if %{suse_version} < 1500 && !0%{?is_opensuse}
@@ -322,6 +323,8 @@
%patch -P 78 -p1
%patch -P 79 -p1
%patch -P 80 -p1
+%patch -P 81 -p1
+%patch -P 82 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python-doc.spec ++++++
--- /var/tmp/diff_new_pack.uZLfUe/_old 2024-05-21 18:34:43.406624356 +0200
+++ /var/tmp/diff_new_pack.uZLfUe/_new 2024-05-21 18:34:43.410624501 +0200
@@ -47,13 +47,10 @@
Patch5: python-2.7.4-canonicalize2.patch
Patch7: python-2.6-gettext-plurals.patch
Patch8: python-2.6b3-curses-panel.patch
-Patch10: sparc_longdouble.patch
Patch13: python-2.7.2-fix_date_time_compiler.patch
Patch17: remove-static-libpython.patch
# PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751
dims...@opensuse.org -- gettext: when looking in default_localedir also check
in locale-bundle.
Patch20: python-bundle-lang.patch
-# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64
-Patch22: python-2.7-libffi-aarch64.patch
Patch24: python-bsddb6.patch
# PATCH-FIX-UPSTREAM accept directory-based CA paths as well
Patch33: python-2.7.9-ssl_ca_path.patch
@@ -161,6 +158,12 @@
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
+# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
bpo#3151 mc...@suse.com
+# We don't have fix for bpo#3151 and it is just not supported
+Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
bsc#1221854 mc...@suse.com
+# detecting the vulnerability of the "quoted-overlap" zipbomb (from
gh#python/cpython!110016).
+Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@@ -198,11 +201,9 @@
%patch -P 5 -p1
%patch -P 7 -p1
%patch -P 8 -p1
-%patch -P 10 -p1
%patch -P 13 -p1
%patch -P 17 -p1
%patch -P 20 -p1
-%patch -P 22 -p1
%patch -P 24 -p1
%patch -P 33 -p1
%if %{suse_version} < 1500 && !0%{?is_opensuse}
@@ -252,6 +253,8 @@
%patch -P 78 -p1
%patch -P 79 -p1
%patch -P 80 -p1
+%patch -P 81 -p1
+%patch -P 82 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python.spec ++++++
--- /var/tmp/diff_new_pack.uZLfUe/_old 2024-05-21 18:34:43.442625665 +0200
+++ /var/tmp/diff_new_pack.uZLfUe/_new 2024-05-21 18:34:43.442625665 +0200
@@ -47,13 +47,10 @@
Patch5: python-2.7.4-canonicalize2.patch
Patch7: python-2.6-gettext-plurals.patch
Patch8: python-2.6b3-curses-panel.patch
-Patch10: sparc_longdouble.patch
Patch13: python-2.7.2-fix_date_time_compiler.patch
Patch17: remove-static-libpython.patch
# PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751
dims...@opensuse.org -- gettext: when looking in default_localedir also check
in locale-bundle.
Patch20: python-bundle-lang.patch
-# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64
-Patch22: python-2.7-libffi-aarch64.patch
Patch24: python-bsddb6.patch
# PATCH-FIX-UPSTREAM accept directory-based CA paths as well
Patch33: python-2.7.9-ssl_ca_path.patch
@@ -161,6 +158,12 @@
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
+# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
bpo#3151 mc...@suse.com
+# We don't have fix for bpo#3151 and it is just not supported
+Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
bsc#1221854 mc...@suse.com
+# detecting the vulnerability of the "quoted-overlap" zipbomb (from
gh#python/cpython!110016).
+Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -318,11 +321,9 @@
%patch -P 5 -p1
%patch -P 7 -p1
%patch -P 8 -p1
-%patch -P 10 -p1
%patch -P 13 -p1
%patch -P 17 -p1
%patch -P 20 -p1
-%patch -P 22 -p1
%patch -P 24 -p1
%patch -P 33 -p1
%if %{suse_version} < 1500 && !0%{?is_opensuse}
@@ -372,6 +373,8 @@
%patch -P 78 -p1
%patch -P 79 -p1
%patch -P 80 -p1
+%patch -P 81 -p1
+%patch -P 82 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch ++++++
---
Lib/test/test_minidom.py | 3 ++-
Lib/test/test_xml_etree.py | 6 ------
2 files changed, 2 insertions(+), 7 deletions(-)
--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -1051,7 +1051,8 @@ class MinidomTest(unittest.TestCase):
# Verify that character decoding errors raise exceptions instead
# of crashing
- self.assertRaises(UnicodeDecodeError, parseString,
+ self.assertRaises((UnicodeDecodeError, xml.parsers.expat.ExpatError),
+ parseString,
'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
doc.unlink()
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -1482,12 +1482,6 @@ class BugsTest(unittest.TestCase):
b"<?xml version='1.0' encoding='ascii'?>\n"
b'<body>tãg</body>')
- def test_issue3151(self):
- e = ET.XML('<prefix:localname xmlns:prefix="${stuff}"/>')
- self.assertEqual(e.tag, '{${stuff}}localname')
- t = ET.ElementTree(e)
- self.assertEqual(ET.tostring(e), b'<ns0:localname xmlns:ns0="${stuff}"
/>')
-
def test_issue6565(self):
elem = ET.XML("<body><tag/></body>")
self.assertEqual(summarize_list(elem), ['tag'])
++++++ CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch ++++++
>From d8877aaabe9aa5d9b9904c222c552f3c6a85017c Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storch...@gmail.com>
Date: Wed, 17 Jan 2024 15:41:50 +0200
Subject: [PATCH] [CVE-2024-0450] Protect zipfile from "quoted-overlap" zipbomb
Raise BadZipFile when try to read an entry that overlaps with
other entry or central directory.
(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)
From-PR: gh#python/cpython!110016
Fixes: gh#python/cpython#109858
Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
---
Lib/test/test_zipfile.py | 66
+++++++++-
Lib/zipfile.py | 12
+
Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst | 3
3 files changed, 78 insertions(+), 3 deletions(-)
create mode 100644
Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst
--- a/Lib/test/test_zipfile.py
+++ b/Lib/test/test_zipfile.py
@@ -1004,7 +1004,7 @@ class OtherTests(unittest.TestCase):
self.assertTrue(not chk)
def test_damaged_zipfile(self):
- """Check that zipfiles with missing bytes at the end raise
BadZipFile."""
+ """Check that zipfiles with missing bytes at the end raise
BadZipfile."""
# - Create a valid zip file
fp = io.BytesIO()
with zipfile.ZipFile(fp, mode="w") as zipf:
@@ -1012,7 +1012,7 @@ class OtherTests(unittest.TestCase):
zipfiledata = fp.getvalue()
# - Now create copies of it missing the last N bytes and make sure
- # a BadZipFile exception is raised when we try to open it
+ # a BadZipfile exception is raised when we try to open it
for N in range(len(zipfiledata)):
fp = io.BytesIO(zipfiledata[:N])
self.assertRaises(zipfile.BadZipfile, zipfile.ZipFile, fp)
@@ -1053,7 +1053,7 @@ class OtherTests(unittest.TestCase):
# quickly.
self.assertRaises(IOError, zipfile.ZipFile, TESTFN)
- def test_empty_file_raises_BadZipFile(self):
+ def test_empty_file_raises_BadZipfile(self):
with open(TESTFN, 'w') as f:
pass
self.assertRaises(zipfile.BadZipfile, zipfile.ZipFile, TESTFN)
@@ -1377,6 +1377,66 @@ class TestsWithRandomBinaryFiles(unittes
with open(TESTFN, "wb") as fp:
fp.write(self.data)
+ @skipUnless(zlib, "requires zlib")
+ def test_full_overlap(self):
+ data = (
+ b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
+ b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00a\xed'
+ b'\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\d\x0b`P'
+ b'K\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2'
+ b'\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00'
+ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00aPK'
+ b'\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
+ b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00\x00'
+ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00bPK\x05'
+ b'\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00\x00/\x00\x00'
+ b'\x00\x00\x00'
+ )
+ with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:
+ self.assertEqual(zipf.namelist(), ['a', 'b'])
+ zi = zipf.getinfo('a')
+ self.assertEqual(zi.header_offset, 0)
+ self.assertEqual(zi.compress_size, 16)
+ self.assertEqual(zi.file_size, 1033)
+ zi = zipf.getinfo('b')
+ self.assertEqual(zi.header_offset, 0)
+ self.assertEqual(zi.compress_size, 16)
+ self.assertEqual(zi.file_size, 1033)
+ self.assertEqual(len(zipf.read('a')), 1033)
+ with self.assertRaisesRegexp(zipfile.BadZipfile, 'File
name.*differ'):
+ zipf.read('b')
+
+ @skipUnless(zlib, "requires zlib")
+ def test_quoted_overlap(self):
+ data = (
+ b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc'
+ b'8\x044\x00\x00\x00(\x04\x00\x00\x01\x00\x00\x00a\x00'
+ b'\x1f\x00\xe0\xffPK\x03\x04\x14\x00\x00\x00\x08\x00\xa0l'
+ b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'
+ b'\x00\x00b\xed\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\'
+ b'd\x0b`PK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0'
+ b'lH\x05Y\xfc8\x044\x00\x00\x00(\x04\x00\x00\x01'
+ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+ b'\x00aPK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0l'
+ b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'
+ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x00\x00'
+ b'bPK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00'
+ b'\x00S\x00\x00\x00\x00\x00'
+ )
+ with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:
+ self.assertEqual(zipf.namelist(), ['a', 'b'])
+ zi = zipf.getinfo('a')
+ self.assertEqual(zi.header_offset, 0)
+ self.assertEqual(zi.compress_size, 52)
+ self.assertEqual(zi.file_size, 1064)
+ zi = zipf.getinfo('b')
+ self.assertEqual(zi.header_offset, 36)
+ self.assertEqual(zi.compress_size, 16)
+ self.assertEqual(zi.file_size, 1033)
+ with self.assertRaisesRegexp(zipfile.BadZipfile, 'Overlapped
entries'):
+ zipf.read('a')
+ self.assertEqual(len(zipf.read('b')), 1033)
+
def tearDown(self):
unlink(TESTFN)
unlink(TESTFN2)
--- a/Lib/zipfile.py
+++ b/Lib/zipfile.py
@@ -305,6 +305,7 @@ class ZipInfo (object):
'compress_size',
'file_size',
'_raw_time',
+ '_end_offset',
)
def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)):
@@ -343,6 +344,7 @@ class ZipInfo (object):
self.volume = 0 # Volume number of file header
self.internal_attr = 0 # Internal attributes
self.external_attr = 0 # External file attributes
+ self._end_offset = None # Start of the next local header or
central directory
# Other attributes are set by class ZipFile:
# header_offset Byte offset to the file header
# CRC CRC-32 of the uncompressed file
@@ -891,6 +893,12 @@ class ZipFile(object):
if self.debug > 2:
print "total", total
+ end_offset = self.start_dir
+ for zinfo in sorted(self.filelist,
+ key=lambda zinfo: zinfo.header_offset,
+ reverse=True):
+ zinfo._end_offset = end_offset
+ end_offset = zinfo.header_offset
def namelist(self):
"""Return a list of file names in the archive."""
@@ -1002,6 +1010,10 @@ class ZipFile(object):
'File name in directory "%s" and header "%s" differ.'
% (
zinfo.orig_filename, fname)
+ if (zinfo._end_offset is not None and
+ zef_file.tell() + zinfo.compress_size > zinfo._end_offset):
+ raise BadZipfile("Overlapped entries: {!r} (possible zip
bomb)".format(zinfo.orig_filename))
+
# check for encrypted flag & handle password
is_encrypted = zinfo.flag_bits & 0x1
zd = None
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst
@@ -0,0 +1,3 @@
+Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises
+BadZipfile when try to read an entry that overlaps with other entry or
+central directory.
