zipfile DoS using invalid file size

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the functions:

• ZipExtFile.read()
• ZipExtFile.readlines()
• ZipFile.extract()
• ZipFile.extractall()

Reading malformed zipfiles no longer hangs with 100% CPU consumption.

Python 2.7 is not affected.

Dates:

• Disclosure date: 2013-12-27 (Python issue bpo-20078 reported)

Fixed In

• Python 3.3.4 (2014-02-09) fixed by commit 5ce3f10 (branch 3.3) (2014-01-09)
• Python 3.4.0 (2014-03-16) fixed by commit 5ce3f10 (branch 3.3) (2014-01-09)

Python issue

zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips.

• Python issue: bpo-20078
• Creation date: 2013-12-27
• Reporter: Nandiya

CVE-2013-7338

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.

• CVE ID: CVE-2013-7338
• Published: 2014-04-22
• CVSS Score: 7.1

Timeline

Timeline using the disclosure date 2013-12-27 as reference:

• 2013-12-27: Python issue bpo-20078 reported by Nandiya
• 2014-01-09 (+13 days): commit 5ce3f10 (branch 3.3)
• 2014-02-09 (+44 days): Python 3.3.4 released
• 2014-03-16: Python 3.4.0 released
• 2014-04-22 (+116 days): CVE-2013-7338 published