Description
Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.
References (11)
Core 11
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q1/592
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/65179
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-05/msg00008.html
Exploit, Patch, Vendor Advisory x_refsource_confirm
http://hg.python.org/cpython/rev/79ea4ce431b1
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201503-10
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Exploit, Patch, Vendor Advisory x_refsource_confirm
http://bugs.python.org/issue20078
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q1/595
Patch, Vendor Advisory x_refsource_confirm
https://support.apple.com/kb/HT205031
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1029973
Vendor Advisory x_refsource_confirm
https://docs.python.org/3.3/whatsnew/changelog.html
Scores
EPSS
0.0778
EPSS Percentile
92.1%
Details
CWE
CWE-20
Status
published
Products (5)
apple/mac_os_x
< 10.10.4
python/python
3.3.0 (10 CPE variants)
python/python
3.3.1 (2 CPE variants)
python/python
3.3.2
python/python
3.3.3 (3 CPE variants)
Published
Apr 22, 2014
Tracked Since
Feb 18, 2026