Bug 1162825 – VUL-1: CVE-2019-9674: python,python36,python3,python27: Lib/zipfile.py allows remote attackers to cause a denial of service via a ZIP bomb

Bug 1162825 - (CVE-2019-9674) VUL-1: CVE-2019-9674: python,python36,python3,python27: Lib/zipfile.py allows remote attackers to cause a denial of service via a ZIP bomb

(CVE-2019-9674)
Summary:	VUL-1: CVE-2019-9674: python,python36,python3,python27: Lib/zipfile.py allows...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/252390/
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-9674:6.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-02-05 12:04 UTC by Alexandros Toptsoglou
Modified:	2022-06-10 08:41 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2020-02-05 12:04:51 UTC

CVE-2019-9674

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial
of service (resource consumption) via a ZIP bomb.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9674
https://github.com/python/cpython/blob/master/Lib/zipfile.py
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674
https://bugs.python.org/issue36260
https://bugs.python.org/issue36462
https://python-security.readthedocs.io/security.html#archives-and-zip-bomb
https://www.python.org/news/security/

Comment 1 Alexandros Toptsoglou 2020-02-05 12:06:17 UTC

Only documentation changes are proposed upstream [1]

[1] https://github.com/python/cpython/commit/c5a672315dffbc95acc1ca28584ec84ddb56626f

Comment 3 Swamp Workflow Management 2020-02-09 17:40:09 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/772516 Factory / python

Comment 6 Swamp Workflow Management 2020-02-25 14:16:09 UTC

SUSE-SU-2020:0467-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1162224,1162367,1162423,1162825
CVE References: CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.47.2, python3-base-3.6.10-3.47.2, python3-doc-3.6.10-3.47.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.47.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.47.2, python3-base-3.6.10-3.47.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2020-02-27 17:17:06 UTC

SUSE-SU-2020:0510-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1162224,1162367,1162825
CVE References: CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.35.1, python-base-2.7.17-7.35.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.35.1, python-base-2.7.17-7.35.1, python-doc-2.7.17-7.35.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.35.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.35.1, python-base-2.7.17-7.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2020-03-01 23:12:32 UTC

openSUSE-SU-2020:0274-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1162224,1162367,1162423,1162825
CVE References: CVE-2019-9674,CVE-2020-8492
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.11.1, python3-base-3.6.10-lp151.6.11.1

Comment 10 Swamp Workflow Management 2020-03-02 17:43:47 UTC

SUSE-SU-2020:0557-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1162367,1162423,1162825
CVE References: CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.10-4.6.1, python36-base-3.6.10-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 jun wang 2020-03-26 08:01:33 UTC

I am testing SUSE:Maintenance:14269:214437 on SLE11SP1&SP3,
I find that this issue was NOT fixed.

the documentation is NOT changed in zipfile.rst.txt from python27-doc.
but I checked the python27-doc spec file, the patch was applied.
it is weird.

in a word, this issue was NOT fixed on SLE11SP1&SP3.

Comment 19 Marcus Meissner 2020-03-26 08:30:10 UTC

we are not building the docs , but include only the generated docuemnts.

The generated docs do not include the update zipfile.rst.txt currently.

Comment 20 jun wang 2020-03-26 09:05:21 UTC

(In reply to Marcus Meissner from comment #19)
> we are not building the docs , but include only the generated docuemnts.
> 
> The generated docs do not include the update zipfile.rst.txt currently.

I referenced another update which fixed this bug, the changed document
should be included in zipfile.rst.txt in this update.

Comment 22 Swamp Workflow Management 2020-04-02 16:24:12 UTC

SUSE-SU-2020:0854-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1155094,1162224,1162367,1162825,1165894
CVE References: CVE-2019-18348,CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE OpenStack Cloud 8 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE OpenStack Cloud 7 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP4 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
SUSE Enterprise Storage 5 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1
HPE Helion Openstack 8 (src):    python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Swamp Workflow Management 2020-05-19 16:15:25 UTC

SUSE-SU-2020:1339-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1155094,1162825
CVE References: CVE-2019-18348,CVE-2019-9674
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.38.1, python-base-2.7.17-7.38.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.38.1, python-base-2.7.17-7.38.1, python-doc-2.7.17-7.38.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.38.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.38.1, python-base-2.7.17-7.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Swamp Workflow Management 2020-05-22 22:16:54 UTC

openSUSE-SU-2020:0696-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1155094,1162825
CVE References: CVE-2019-18348,CVE-2019-9674
Sources used:
openSUSE Leap 15.1 (src):    python-2.7.17-lp151.10.17.1, python-base-2.7.17-lp151.10.17.1, python-doc-2.7.17-lp151.10.17.1

Comment 30 Swamp Workflow Management 2020-06-03 13:22:51 UTC

SUSE-SU-2020:1524-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1027282,1041090,1042670,1073269,1073748,1078326,1078485,1081750,1084650,1086001,1149792,1153830,1155094,1159035,1162224,1162367,1162825,1165894,1170411,1171561,945401
CVE References: CVE-2019-18348,CVE-2019-9674,CVE-2020-8492
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE OpenStack Cloud 8 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE OpenStack Cloud 7 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.17-28.42.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    python-base-2.7.17-28.42.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python-rpm-macros-20200207.5feb6c1-3.19.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-base-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
SUSE Enterprise Storage 5 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1
HPE Helion Openstack 8 (src):    python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 31 Matej Cepl 2020-06-08 09:53:48 UTC

Update has been released, this bug can be closed.

Comment 36 OBSbugzilla Bot 2020-11-27 16:43:20 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36

Comment 37 OBSbugzilla Bot 2020-12-01 18:23:14 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36

Comment 38 OBSbugzilla Bot 2020-12-05 17:33:07 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36

Comment 39 OBSbugzilla Bot 2020-12-05 19:13:15 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36

Comment 40 OBSbugzilla Bot 2020-12-17 18:13:17 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 41 OBSbugzilla Bot 2021-10-06 14:43:27 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 42 OBSbugzilla Bot 2021-10-22 08:43:34 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 43 OBSbugzilla Bot 2022-02-06 22:31:00 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 44 OBSbugzilla Bot 2022-02-09 19:11:11 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python

Comment 45 OBSbugzilla Bot 2022-06-10 08:41:06 UTC

This is an autogenerated message for OBS integration:
This bug (1162825) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python