.. _zipfile-file-size-dos:

zipfile DoS using invalid file size
===================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2013-7338>`_.

Python before 3.3.4 RC1 allows remote attackers to cause a denial of
service (infinite loop and CPU consumption) via a file size value larger
than the size of the zip file to the functions:

* ``ZipExtFile.read()``
* ``ZipExtFile.readlines()``
* ``ZipFile.extract()``
* ``ZipFile.extractall()``

Reading malformed zipfiles no longer hangs with 100% CPU consumption.

Python 2.7 is not affected.

Dates:

* Disclosure date: **2013-12-27** (Python issue bpo-20078 reported)

Fixed In
--------

* Python **3.3.4** (2014-02-09) fixed by `commit 5ce3f10 (branch 3.3) <https://github.com/python/cpython/commit/5ce3f10aeea711bb912e948fa5d9f63736df1327>`_ (2014-01-09)
* Python **3.4.0** (2014-03-16) fixed by `commit 5ce3f10 (branch 3.3) <https://github.com/python/cpython/commit/5ce3f10aeea711bb912e948fa5d9f63736df1327>`_ (2014-01-09)

Python issue
------------

zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips.

* Python issue: `bpo-20078 <https://bugs.python.org/issue20078>`_
* Creation date: 2013-12-27
* Reporter: Nandiya

CVE-2013-7338
-------------

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.

* CVE ID: `CVE-2013-7338 <https://nvd.nist.gov/vuln/detail/CVE-2013-7338/>`_
* Published: 2014-04-22
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 7.1

Timeline
--------

Timeline using the disclosure date **2013-12-27** as reference:

* 2013-12-27: `Python issue bpo-20078 <https://bugs.python.org/issue20078>`_ reported by Nandiya
* 2014-01-09 (**+13 days**): `commit 5ce3f10 (branch 3.3) <https://github.com/python/cpython/commit/5ce3f10aeea711bb912e948fa5d9f63736df1327>`_
* 2014-02-09 (**+44 days**): Python 3.3.4 released
* 2014-03-16: Python 3.4.0 released
* 2014-04-22 (**+116 days**): CVE-2013-7338 published