Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 927299 (CVE-2023-6597, CVE-2024-0450)

Summary: <dev-lang/python-{3.8.19,3.9.19,3.10.14,3.11.8,3.12.2}, <dev-python/pypy3_{9,10}-7.3.16: “quoted-overlap” zip-bombs in zipfile module, dereferencing symlinks in cleanup of TemporaryDirectory
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 927308, 927309, 927315, 929048, 929049, 929050, 930591    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-03-19 18:19:42 UTC
> The zipfile module is vulnerable to “quoted-overlap” zip-bombs which
exploit the zip format to create a zip-bomb with a high compression ratio.
The fixed versions of CPython makes the zipfile module reject zip archives
which overlap entries in the archive.

> The tempfile.TemporaryDirectory class would dereference symlinks during
cleanup of permissions-related errors. This means users which can run
privileged programs are potentially able to modify permissions of files
referenced by symlinks in some circumstances.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-03-20 05:06:37 UTC lists more:

> gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms was fixed

> gh-113659: .pth files with names starting with a dot or containing the hidden file attribute are now skipped

> gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of bounds

> gh-114572 1: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-04-06 07:37:49 UTC
Sigh, looks like upstream announcement was wrong:

zipfile fix is already present in 3.11.8 and 3.12.2.

tempfile fix is already present in 3.11.8 and 3.12.1.

Everything else, except for the SSLContext thing, also seems to be present in older versions.  However, that one doesn't seem like a real security issue at a first glance.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-04-25 03:45:02 UTC
cleanup done.
Comment 4 Larry the Git Cow gentoo-dev 2024-05-04 06:00:42 UTC
The bug has been referenced in the following commit(s):

commit 665ec86173a28118d28182d8381d593988f1adac
Author:     GLSAMaker <>
AuthorDate: 2024-05-04 05:59:08 +0000
Commit:     Hans de Graaff <>
CommitDate: 2024-05-04 06:00:31 +0000

    [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)