Hello,

I am a bit confused about this.


On Tue, 2024-03-19 at 11:10 -0400, Ee Durbin wrote:
> An issue was found in the CPython `zipfile` module affecting versions
> 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.

It seems that 3.11.8 and 3.12.2 already contained a patch for this:

$ git describe --contains a956e510f6336d5ae111ba429a61c3ade30a7549
v3.11.8~173
$ git describe --contains fa181fcf2156f703347b03a3b1966ce47be8ab3b
v3.12.2~196

> The zipfile module is vulnerable to “quoted-overlap” zip-bombs which
> exploit the zip format to create a zip-bomb with a high compression ratio.
> The fixed versions of CPython makes the zipfile module reject zip archives
> which overlap entries in the archive.

-- 
Best regards,
Michał Górny

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Security-SIG mailing list -- security-sig@python.org
To unsubscribe send an email to security-sig-le...@python.org
https://mail.python.org/mailman3/lists/security-sig.python.org/
Member address: arch...@mail-archive.com

Reply via email to