Debian Bug report logs -
#1070133
python 3.11 zipbomb attack (CVE-2024-0450)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>:
Bug#1070133; Package src:python3.11.
(Tue, 30 Apr 2024 17:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve McIntyre <steve@einval.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Matthias Klose <doko@debian.org>.
(Tue, 30 Apr 2024 17:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python3.11
Version: 3.11.2-6
Severity: important
Tags: upstream security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Quoting https://security-tracker.debian.org/tracker/CVE-2024-0450:
An issue was found in the CPython `zipfile` module affecting versions
3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile
module is vulnerable to “quoted-overlap” zip-bombs which exploit the
zip format to create a zip-bomb with a high compression ratio. The
fixed versions of CPython makes the zipfile module reject zip archives
which overlap entries in the archive.
Upstream have a patch for this, against 3.11.8. It's not too hard to
backport - I'll attach the tweaked patch shortly.
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-20-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- debconf-show failed
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#1070133; Package src:python3.11.
(Tue, 30 Apr 2024 17:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Tue, 30 Apr 2024 17:36:02 GMT) (full text, mbox, link).
Message #10 received at 1070133@bugs.debian.org (full text, mbox, reply):
Control: fixed 1070133 3.11.8-1
On Tue, Apr 30, 2024 at 05:24:04PM +0000, Debian Bug Tracking System wrote:
>Thank you for filing a new Bug report with Debian.
>
>You can follow progress on this Bug here: 1070133: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070133.
>
>This is an automatically generated reply to let you know your message
>has been received.
>
>Your message is being forwarded to the package maintainers and other
>interested parties for their attention; they will reply in due course.
>
>As you requested using X-Debbugs-CC, your message was also forwarded to
> debian security team <team@security.debian.org>
>(after having been given a Bug report number, if it did not have one).
>
>Your message has been sent to the package maintainer(s):
> Matthias Klose <doko@debian.org>
>
>If you wish to submit further information on this problem, please
>send it to 1070133@bugs.debian.org.
>
>Please do not send mail to owner@bugs.debian.org unless you wish
>to report a problem with the Bug-tracking system.
>
>--
>1070133: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070133
>Debian Bug Tracking System
>Contact owner@bugs.debian.org with problems
>
--
Steve McIntyre, Cambridge, UK. steve@einval.com
You raise the blade, you make the change... You re-arrange me 'til I'm sane...
Marked as fixed in versions python3.11/3.11.8-1.
Request was from Steve McIntyre <steve@einval.com>
to 1070133-submit@bugs.debian.org.
(Tue, 30 Apr 2024 17:36:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#1070133; Package src:python3.11.
(Wed, 01 May 2024 10:12:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Wed, 01 May 2024 10:12:03 GMT) (full text, mbox, link).
Message #19 received at 1070133@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag 1070133 +patch
Control: tag 1070135 +patch
Here's a debdiff against what's already in 3.11.2-6+deb12u1 in
-proposed-updates
--
Steve McIntyre, Cambridge, UK. steve@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
note stuck to the mini-bar saying "Paul: This fridge and
fittings are the correct way around and do not need altering"
[python3.11_3.11.2-6+deb12u2.debdiff (text/plain, attachment)]
Added tag(s) patch.
Request was from Steve McIntyre <steve@einval.com>
to 1070133-submit@bugs.debian.org.
(Wed, 01 May 2024 10:12:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 1 11:55:00 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon