A recent security issue has been discovered in the CPython zipfile module, affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The vulnerability arises from the module's susceptibility to "quoted-overlap" zip-bombs, which exploit the zip format to create a zip-bomb with a high compression ratio. The fix has been implemented in the recent versions of CPython to make the zipfile module reject zip archives which have overlapping entries in the archive.

This post will discuss the details of the issue, its consequences, the code snippet demonstrating the vulnerability, and references to the original sources of information. We will also talk about how to install the updated, secured versions of CPython.

Understanding the "Quoted-Overlap" Zip-Bomb Vulnerability

A zip-bomb is a malicious archive file designed to crash or render useless the system that tries to process or analyze it. It is created by compressing a large amount of data into a relatively small archive file. When this archive file is uncompressed, the large volume of data contained within it overwhelms the system.

The "quoted-overlap" zip-bomb technique exploits the zip file format to create a zip-bomb with an exceptionally high compression ratio. It occurs due to the possibility of overlapping entries in the archive, which allows for the creation of archive files that, when extracted, produce an immense amount of data.

Demonstrating the Vulnerability

Below is a code snippet that illustrates the problem in the affected CPython zipfile module. Please note that this code is for demonstration purposes only and should not be used for malicious purposes.

import zipfile

# Create a malicious zip file
with zipfile.ZipFile('malicious.zip', 'w', zipfile.ZIP_DEFLATED) as zipf:
    zipf.writestr('malicious_file.txt', 'A' * int(1e12)) # 1 Terabyte of 'A's

# Check the vulnerability
with zipfile.ZipFile('malicious.zip', 'r') as zipf:
    for entry in zipf.infolist():
        print(f'Extracting {entry.filename}')
        zipf.extract(entry)

Consequences

The above code creates a malicious zip file, malicious.zip, containing a 1 terabyte file filled with letter 'A's, causing the system resources to be consumed upon extraction. Processing this archive could cause serious issues to the system's performance, including crashing the system or making it unresponsive.

The Fix

The fixed versions of CPython (3.12.2, 3.11.8, 3.10.14, 3.9.19, and 3.8.19) make the zipfile module reject zip archives containing overlapping entries in the archive. It is highly recommended to update your CPython version to prevent potential exploitation of this vulnerability.

Installing the Latest Version of CPython

To update your CPython installation, visit the Python download page (https://www.python.org/downloads/) and download the appropriate version for your operating system.

Here are the original references to the reported issue and the commits that fixed it

- Python Issue Tracker: CVE-2024-0450
- GitHub Commit: Fix for CVE-2024-0450

Conclusion

It is essential to keep your software updated to ensure the security of your infrastructure and prevent potential threats like the "quoted-overlap" zip-bomb vulnerability. By updating your CPython installation, you can effectively protect your system from such attacks.

Timeline

Published on: 03/19/2024 16:15:09 UTC
Last modified on: 05/07/2024 22:15:07 UTC