python/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch

From d8877aaabe9aa5d9b9904c222c552f3c6a85017c Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Wed, 17 Jan 2024 15:41:50 +0200
Subject: [PATCH] [CVE-2024-0450] Protect zipfile from "quoted-overlap" zipbomb

Raise BadZipFile when try to read an entry that overlaps with
other entry or central directory.
(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)

From-PR: gh#python/cpython!110016
Fixes: gh#python/cpython#109858
Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
---
 Lib/test/test_zipfile.py                                                |   60 ++++++++++
 Lib/zipfile.py                                                          |   12 ++
 Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst |    3 
 3 files changed, 75 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst

--- a/Lib/test/test_zipfile.py
+++ b/Lib/test/test_zipfile.py
@@ -1377,6 +1377,66 @@ class TestsWithRandomBinaryFiles(unittes
         with open(TESTFN, "wb") as fp:
             fp.write(self.data)
 
+    @requires_zlib
+    def test_full_overlap(self):
+        data = (
+            b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
+            b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00a\xed'
+            b'\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\d\x0b`P'
+            b'K\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2'
+            b'\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00'
+            b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00aPK'
+            b'\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
+            b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00\x00'
+            b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00bPK\x05'
+            b'\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00\x00/\x00\x00'
+            b'\x00\x00\x00'
+        )
+        with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:
+            self.assertEqual(zipf.namelist(), ['a', 'b'])
+            zi = zipf.getinfo('a')
+            self.assertEqual(zi.header_offset, 0)
+            self.assertEqual(zi.compress_size, 16)
+            self.assertEqual(zi.file_size, 1033)
+            zi = zipf.getinfo('b')
+            self.assertEqual(zi.header_offset, 0)
+            self.assertEqual(zi.compress_size, 16)
+            self.assertEqual(zi.file_size, 1033)
+            self.assertEqual(len(zipf.read('a')), 1033)
+            with self.assertRaisesRegex(zipfile.BadZipFile, 'File name.*differ'):
+                zipf.read('b')
+
+    @requires_zlib
+    def test_quoted_overlap(self):
+        data = (
+            b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc'
+            b'8\x044\x00\x00\x00(\x04\x00\x00\x01\x00\x00\x00a\x00'
+            b'\x1f\x00\xe0\xffPK\x03\x04\x14\x00\x00\x00\x08\x00\xa0l'
+            b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'
+            b'\x00\x00b\xed\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\'
+            b'd\x0b`PK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0'
+            b'lH\x05Y\xfc8\x044\x00\x00\x00(\x04\x00\x00\x01'
+            b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+            b'\x00aPK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0l'
+            b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'
+            b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x00\x00'
+            b'bPK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00'
+            b'\x00S\x00\x00\x00\x00\x00'
+        )
+        with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:
+            self.assertEqual(zipf.namelist(), ['a', 'b'])
+            zi = zipf.getinfo('a')
+            self.assertEqual(zi.header_offset, 0)
+            self.assertEqual(zi.compress_size, 52)
+            self.assertEqual(zi.file_size, 1064)
+            zi = zipf.getinfo('b')
+            self.assertEqual(zi.header_offset, 36)
+            self.assertEqual(zi.compress_size, 16)
+            self.assertEqual(zi.file_size, 1033)
+            with self.assertRaisesRegex(zipfile.BadZipFile, 'Overlapped entries'):
+                zipf.read('a')
+            self.assertEqual(len(zipf.read('b')), 1033)
+
     def tearDown(self):
         unlink(TESTFN)
         unlink(TESTFN2)
--- a/Lib/zipfile.py
+++ b/Lib/zipfile.py
@@ -305,6 +305,7 @@ class ZipInfo (object):
             'compress_size',
             'file_size',
             '_raw_time',
+            '_end_offset',
         )
 
     def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)):
@@ -343,6 +344,7 @@ class ZipInfo (object):
         self.volume = 0                 # Volume number of file header
         self.internal_attr = 0          # Internal attributes
         self.external_attr = 0          # External file attributes
+        self._end_offset = None         # Start of the next local header or central directory
         # Other attributes are set by class ZipFile:
         # header_offset         Byte offset to the file header
         # CRC                   CRC-32 of the uncompressed file
@@ -891,6 +893,12 @@ class ZipFile(object):
             if self.debug > 2:
                 print "total", total
 
+        end_offset = self.start_dir
+        for zinfo in sorted(self.filelist,
+                            key=lambda zinfo: zinfo.header_offset,
+                            reverse=True):
+            zinfo._end_offset = end_offset
+            end_offset = zinfo.header_offset
 
     def namelist(self):
         """Return a list of file names in the archive."""
@@ -1002,6 +1010,10 @@ class ZipFile(object):
                         'File name in directory "%s" and header "%s" differ.' % (
                             zinfo.orig_filename, fname)
 
+            if (zinfo._end_offset is not None and
+                zef_file.tell() + zinfo.compress_size > zinfo._end_offset):
+                raise BadZipFile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename))
+
             # check for encrypted flag & handle password
             is_encrypted = zinfo.flag_bits & 0x1
             zd = None
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst
@@ -0,0 +1,3 @@
+Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises
+BadZipFile when try to read an entry that overlaps with other entry or
+central directory.
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00			`From d8877aaabe9aa5d9b9904c222c552f3c6a85017c Mon Sep 17 00:00:00 2001`
			`From: Serhiy Storchaka <storchaka@gmail.com>`
			`Date: Wed, 17 Jan 2024 15:41:50 +0200`
			`Subject: [PATCH] [CVE-2024-0450] Protect zipfile from "quoted-overlap" zipbomb`

			`Raise BadZipFile when try to read an entry that overlaps with`
			`other entry or central directory.`
			`(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)`

			`From-PR: gh#python/cpython!110016`
			`Fixes: gh#python/cpython#109858`
			`Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch`
			`---`
fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 2024-05-18 17:48:46 +00:00			`Lib/test/test_zipfile.py \| 60 ++++++++++`
			`Lib/zipfile.py \| 12 ++`
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00			`Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst \| 3`
fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 2024-05-18 17:48:46 +00:00			`3 files changed, 75 insertions(+)`
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00			`create mode 100644 Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst`

			`--- a/Lib/test/test_zipfile.py`
			`+++ b/Lib/test/test_zipfile.py`
fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 2024-05-18 17:48:46 +00:00			`@@ -1377,6 +1377,66 @@ class TestsWithRandomBinaryFiles(unittes`
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00			`with open(TESTFN, "wb") as fp:`
			`fp.write(self.data)`

			`+ @requires_zlib`
			`+ def test_full_overlap(self):`
			`+ data = (`
			`+ b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'`
			`+ b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00a\xed'`
			+ b'\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\d\x0b`P'
			`+ b'K\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2'`
			`+ b'\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00'`
			`+ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00aPK'`
			`+ b'\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'`
			`+ b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00\x00'`
			`+ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00bPK\x05'`
			`+ b'\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00\x00/\x00\x00'`
			`+ b'\x00\x00\x00'`
			`+ )`
			`+ with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:`
			`+ self.assertEqual(zipf.namelist(), ['a', 'b'])`
			`+ zi = zipf.getinfo('a')`
			`+ self.assertEqual(zi.header_offset, 0)`
			`+ self.assertEqual(zi.compress_size, 16)`
			`+ self.assertEqual(zi.file_size, 1033)`
			`+ zi = zipf.getinfo('b')`
			`+ self.assertEqual(zi.header_offset, 0)`
			`+ self.assertEqual(zi.compress_size, 16)`
			`+ self.assertEqual(zi.file_size, 1033)`
			`+ self.assertEqual(len(zipf.read('a')), 1033)`
			`+ with self.assertRaisesRegex(zipfile.BadZipFile, 'File name.*differ'):`
			`+ zipf.read('b')`
			`+`
			`+ @requires_zlib`
			`+ def test_quoted_overlap(self):`
			`+ data = (`
			`+ b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc'`
			`+ b'8\x044\x00\x00\x00(\x04\x00\x00\x01\x00\x00\x00a\x00'`
			`+ b'\x1f\x00\xe0\xffPK\x03\x04\x14\x00\x00\x00\x08\x00\xa0l'`
			`+ b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'`
			`+ b'\x00\x00b\xed\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\'`
			+ b'd\x0b`PK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0'
			`+ b'lH\x05Y\xfc8\x044\x00\x00\x00(\x04\x00\x00\x01'`
			`+ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'`
			`+ b'\x00aPK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0l'`
			`+ b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00'`
			`+ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x00\x00'`
			`+ b'bPK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00'`
			`+ b'\x00S\x00\x00\x00\x00\x00'`
			`+ )`
			`+ with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf:`
			`+ self.assertEqual(zipf.namelist(), ['a', 'b'])`
			`+ zi = zipf.getinfo('a')`
			`+ self.assertEqual(zi.header_offset, 0)`
			`+ self.assertEqual(zi.compress_size, 52)`
			`+ self.assertEqual(zi.file_size, 1064)`
			`+ zi = zipf.getinfo('b')`
			`+ self.assertEqual(zi.header_offset, 36)`
			`+ self.assertEqual(zi.compress_size, 16)`
			`+ self.assertEqual(zi.file_size, 1033)`
			`+ with self.assertRaisesRegex(zipfile.BadZipFile, 'Overlapped entries'):`
			`+ zipf.read('a')`
			`+ self.assertEqual(len(zipf.read('b')), 1033)`
			`+`
			`def tearDown(self):`
			`unlink(TESTFN)`
			`unlink(TESTFN2)`
			`--- a/Lib/zipfile.py`
			`+++ b/Lib/zipfile.py`
fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 2024-05-18 17:48:46 +00:00			`@@ -305,6 +305,7 @@ class ZipInfo (object):`
			`'compress_size',`
			`'file_size',`
			`'_raw_time',`
			`+ '_end_offset',`
			`)`
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00
			`def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)):`
fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 2024-05-18 17:48:46 +00:00			`@@ -343,6 +344,7 @@ class ZipInfo (object):`
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00			`self.volume = 0 # Volume number of file header`
			`self.internal_attr = 0 # Internal attributes`
			`self.external_attr = 0 # External file attributes`
			`+ self._end_offset = None # Start of the next local header or central directory`
			`# Other attributes are set by class ZipFile:`
			`# header_offset Byte offset to the file header`
			`# CRC CRC-32 of the uncompressed file`
fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 2024-05-18 17:48:46 +00:00			`@@ -891,6 +893,12 @@ class ZipFile(object):`
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00			`if self.debug > 2:`
fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 2024-05-18 17:48:46 +00:00			`print "total", total`
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00
			`+ end_offset = self.start_dir`
			`+ for zinfo in sorted(self.filelist,`
			`+ key=lambda zinfo: zinfo.header_offset,`
			`+ reverse=True):`
			`+ zinfo._end_offset = end_offset`
			`+ end_offset = zinfo.header_offset`

			`def namelist(self):`
			`"""Return a list of file names in the archive."""`
fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 2024-05-18 17:48:46 +00:00			`@@ -1002,6 +1010,10 @@ class ZipFile(object):`
			`'File name in directory "%s" and header "%s" differ.' % (`
			`zinfo.orig_filename, fname)`
- bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 2024-05-18 16:51:08 +00:00
			`+ if (zinfo._end_offset is not None and`
			`+ zef_file.tell() + zinfo.compress_size > zinfo._end_offset):`
			`+ raise BadZipFile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename))`
			`+`
			`# check for encrypted flag & handle password`
			`is_encrypted = zinfo.flag_bits & 0x1`
			`zd = None`
			`--- /dev/null`
			`+++ b/Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst`
			`@@ -0,0 +1,3 @@`
			+Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises
			`+BadZipFile when try to read an entry that overlaps with other entry or`
			`+central directory.`