[arch-security] [python] CVE-2013-7338 ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips

Billy McCann thebillywayne at gmail.com
Wed Mar 19 12:21:43 EDT 2014


This issue was fixed in Python 3.4 beta3 released 2014-01-26, it turns out.
[0]

[0] http://docs.python.org/3/whatsnew/changelog.html#python-3-4-0-beta-3

--
Billy Wayne McCann, Ph.D. <https://plus.google.com/+BillyWayneMcCann>
irc://irc.freenode.net:bwayne
"A rich man will always desire what his wealth cannot acquire." ~ Faust
(Goethe)



On Wed, Mar 19, 2014 at 11:52 AM, Billy McCann <thebillywayne at gmail.com>wrote:

> Greetings.
>
> CVE-2013-7338 has been assigned to python issue 20078.
> "zipfile - ZipExtFile.read goes into 100% CPU infinite loop on
> maliciously binary edited zips ". [0]
>
> This issue is not resolved in Python 3.4.0[1].
>
> An upstream fix is available. [2]
>
> FS39540 has been filed with "Resolution=patch". [3]
>
> [0] http://bugs.python.org/issue20078
> [1] http://docs.python.org/3.4/whatsnew/3.4.html
> [2] http://hg.python.org/cpython/rev/79ea4ce431b1
> [3] https://bugs.archlinux.org/task/39540
>
> BW
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140319/f5b4b7af/attachment-0001.html>


More information about the arch-security mailing list