Bug 1162825 (CVE-2019-9674)

Summary: VUL-1: CVE-2019-9674: python,python36,python3,python27: Lib/zipfile.py allows remote attackers to cause a denial of service via a ZIP bomb
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: junguo.wang, meissner, smash_bz, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/252390/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-9674:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Alexandros Toptsoglou 2020-02-05 12:06:17 UTC
Only documentation changes are proposed upstream [1]

[1] https://github.com/python/cpython/commit/c5a672315dffbc95acc1ca28584ec84ddb56626f
Comment 3 Swamp Workflow Management 2020-02-09 17:40:09 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/772516 Factory / python
Comment 6 Swamp Workflow Management 2020-02-25 14:16:09 UTC
SUSE-SU-2020:0467-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1162224,1162367,1162423,1162825
CVE References: CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.47.2, python3-base-3.6.10-3.47.2, python3-doc-3.6.10-3.47.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.47.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.47.2, python3-base-3.6.10-3.47.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-02-27 17:17:06 UTC
SUSE-SU-2020:0510-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1162224,1162367,1162825
CVE References: CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.35.1, python-base-2.7.17-7.35.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.35.1, python-base-2.7.17-7.35.1, python-doc-2.7.17-7.35.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.35.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.35.1, python-base-2.7.17-7.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-03-01 23:12:32 UTC
openSUSE-SU-2020:0274-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1162224,1162367,1162423,1162825
CVE References: CVE-2019-9674,CVE-2020-8492
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.11.1, python3-base-3.6.10-lp151.6.11.1
Comment 10 Swamp Workflow Management 2020-03-02 17:43:47 UTC
SUSE-SU-2020:0557-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1162367,1162423,1162825
CVE References: CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.10-4.6.1, python36-base-3.6.10-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 jun wang 2020-03-26 08:01:33 UTC
I am testing SUSE:Maintenance:14269:214437 on SLE11SP1&SP3,
I find that this issue was NOT fixed.

the documentation is NOT changed in zipfile.rst.txt from python27-doc.
but I checked the python27-doc spec file, the patch was applied.
it is weird.

in a word, this issue was NOT fixed on SLE11SP1&SP3.
Comment 19 Marcus Meissner 2020-03-26 08:30:10 UTC
we are not building the docs , but include only the generated docuemnts.

The generated docs do not include the update zipfile.rst.txt currently.
Comment 20 jun wang 2020-03-26 09:05:21 UTC
(In reply to Marcus Meissner from comment #19)
> we are not building the docs , but include only the generated docuemnts.
> 
> The generated docs do not include the update zipfile.rst.txt currently.

I referenced another update which fixed this bug, the changed document
should be included in zipfile.rst.txt in this update.
Comment 22 Swamp Workflow Management 2020-04-02 16:24:12 UTC
SUSE-SU-2020:0854-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1155094,1162224,1162367,1162825,1165894
CVE References: CVE-2019-18348,CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE OpenStack Cloud 8 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE OpenStack Cloud 7 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP4 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Enterprise Storage 5 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
HPE Helion Openstack 8 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2020-05-19 16:15:25 UTC
SUSE-SU-2020:1339-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1155094,1162825
CVE References: CVE-2019-18348,CVE-2019-9674
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.38.1, python-base-2.7.17-7.38.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.38.1, python-base-2.7.17-7.38.1, python-doc-2.7.17-7.38.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.38.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.38.1, python-base-2.7.17-7.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2020-05-22 22:16:54 UTC
openSUSE-SU-2020:0696-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1155094,1162825
CVE References: CVE-2019-18348,CVE-2019-9674
Sources used:
openSUSE Leap 15.1 (src):    python-2.7.17-lp151.10.17.1, python-base-2.7.17-lp151.10.17.1, python-doc-2.7.17-lp151.10.17.1
Comment 30 Swamp Workflow Management 2020-06-03 13:22:51 UTC
SUSE-SU-2020:1524-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1027282,1041090,1042670,1073269,1073748,1078326,1078485,1081750,1084650,1086001,1149792,1153830,1155094,1159035,1162224,1162367,1162825,1165894,1170411,1171561,945401
CVE References: CVE-2019-18348,CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE OpenStack Cloud 8 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE OpenStack Cloud 7 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.17-28.42.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    python-base-2.7.17-28.42.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python-rpm-macros-20200207.5feb6c1-3.19.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-base-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Enterprise Storage 5 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
HPE Helion Openstack 8 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Matej Cepl 2020-06-08 09:53:48 UTC
Update has been released, this bug can be closed.
Comment 36 OBSbugzilla Bot 2020-11-27 16:43:20 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36
Comment 37 OBSbugzilla Bot 2020-12-01 18:23:14 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36
Comment 38 OBSbugzilla Bot 2020-12-05 17:33:07 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36
Comment 39 OBSbugzilla Bot 2020-12-05 19:13:15 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36
Comment 40 OBSbugzilla Bot 2020-12-17 18:13:17 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36
Comment 41 OBSbugzilla Bot 2021-10-06 14:43:27 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36
Comment 42 OBSbugzilla Bot 2021-10-22 08:43:34 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36
Comment 43 OBSbugzilla Bot 2022-02-06 22:31:00 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python
Comment 44 OBSbugzilla Bot 2022-02-09 19:11:11 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python
Comment 45 OBSbugzilla Bot 2022-06-10 08:41:06 UTC
This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python