CVE-2013-7338

Published: 22 April 2014

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.

Priority

Low

Status

Package Release Status
python2.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

python2.7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

python3.1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

python3.2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

python3.3
Launchpad, Ubuntu, Debian
Upstream
Released (3.3.4-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://hg.python.org/cpython/rev/0cf1defd5ac4/
python3.4
Launchpad, Ubuntu, Debian
Upstream
Released (3.4~b3-1)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(3.4~rc3-0ubuntu1)

Notes

AuthorNote
mdeslaur
looks like it was introduced in python 3.3:
http://hg.python.org/cpython/rev/028e8e0b03e8

References

Bugs