Bug 1221986 - VUL-0: python-Scrapy: decompression bomb vulnerability
Summary: VUL-0: python-Scrapy: decompression bomb vulnerability
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.5
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Dirk Mueller
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-26 13:00 UTC by Andrea Mattiazzo
Modified: 2024-07-11 10:47 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea Mattiazzo 2024-03-26 13:00:43 UTC 
Scrapy limits allowed response sizes by default through the DOWNLOAD_MAXSIZE and DOWNLOAD_WARNSIZE settings.

However, those limits were only being enforced during the download of the raw, usually-compressed response bodies, and not during decompression, making Scrapy vulnerable to decompression bombs.

A malicious website being scraped could send a small response that, on decompression, could exhaust the memory available to the Scrapy process, potentially affecting any other process sharing that memory, and affecting disk usage in case of uncompressed response caching.

References:
https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7
Comment 1 Andrea Mattiazzo 2024-03-26 13:04:43 UTC 
Tracking as affected:
- openSUSE:Factory/python-Scrapy
Comment 2 Dirk Mueller 2024-07-11 10:47:14 UTC 
Fixed with the 2.12.1 update.