CVE-2013-7338: zipfile DoS using malformed file

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the functions:

  • ZipExtFile.read()
  • ZipExtFile.readlines()
  • ZipFile.extract()
  • ZipFile.extractall()

Reading malformed zipfiles no longer hangs with 100% CPU consumption.

Python 2.7 is not affected.

  • Disclosure date: 2013-12-27 (Python issue #20078 reported)

Fixed In

Python issue

zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips.

  • Python issue: issue #20078
  • Creation date: 2013-12-27
  • Reporter: Nandiya

CVE-2013-7338

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.

Timeline

Timeline using the disclosure date 2013-12-27 as reference:

  • 2013-12-27: Python issue #20078 reported by Nandiya
  • 2014-01-09 (+13 days): commit 5ce3f10
  • 2014-02-09 (+44 days): Python 3.3.4 released
  • 2014-03-16: Python 3.4.0 released
  • 2014-04-22 (+116 days): CVE-2013-7338 published