From ${URL} : A flaw was found in the way Python's zipfile module processed malformed ZIP files. Processing a malicious ZIP file could lead to 100% CPU usage. This would be an issue if you are running a web service that accepts and processes ZIP files from untrusted sources. At least Python 3 is affected. It is not yet known if older versions (such as version 2.7) are affected. Upstream fix: http://hg.python.org/cpython/rev/79ea4ce431b1 Original report: http://bugs.python.org/issue20078 CVE request: http://seclists.org/oss-sec/2014/q1/592 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2013-7338 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7338): Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.
This issue was resolved and addressed in GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10 by GLSA coordinator Kristian Fiskerstrand (K_F).