Zip Bomb protection for wheels

[abitrolly]

It is possible to upload zip bombs as wheels to PyPI, because Pythonzipfile doesn't contain any tool to check for them (https://www.cvedetails.com/cve/CVE-2019-9674/)

Blocks #9972 which fixes #8254.

[abitrolly]

I requested sponsorship from https://sos.dev/ which claims to be Linux Foundation project sponsored by Google to work on this issue. Filled the form on 26 Dec 2021, 15:23 and haven't got any response since then. Sent a letter to sos-rewards@googlegroups.com feedback on 18 Mar 2022, 14:48 and no response either.

The form.

Are you representing yourself or a vendor/organization?

• Myself

Improvement category

• Other: Python zip bomp CVE marked as fixed, but vector still exists

Project name

Python

Link to source code

https://bugs.python.org/issue36260#msg341256

Is this submission for work you have already completed or a request for funds to make security improvements? *

• I need funds to complete the work (Limited to high complexity work ONLY)

Criticality

This rewards program is limited to critical open source projects. What makes an open source project critical? It should be a popular and widely used project that has a critical impact on infrastructure and user security. Projects that come to mind are popular web frameworks or libraries, decompression libraries, crypto libraries, mail servers, databases, network services, and security or toolchain dependencies of any critical projects themselves. In the response below, please explain in as many words as you feel are needed why this project is critical.

Python is the project powering a lot of backends. pypi.org is a package backend that powers many projects. The zip bomb elimination is needed so that PyPI can introspect Python wheel packages, which are wheels, and make wheel metadata available to researchers, who can not download the whole repository and unpack it (potentially hitting the same zip bomb problem).

Complexity

• Modest effort or complexity

Impact

• Moderate impact, compelling security benefits

Tell us more about the work

Please tell us what the improvement is and explain how it works, its complexity, and the security impact (including links to CLs). If the improvement required a lot of effort to complete, tell us why in detail. Include any information that may convince us that the improvement has a demonstrable, significant, and proactive impact on security. If this submission is similar to a previous submission, please let us know and tell us how this one is different.

https://nvd.nist.gov/vuln/detail/CVE-2019-9674 is a Python zip bomb CVE, which states that affected Python version is below 3.7.2, but in 3.7.2 there was just a warning in documentation without actual fix or example workaround. Therefore Python zipfile module still contains a valid DoS attack vector that is hidden from CVE databases.

The fix might be a trivial API extensions to limit size of extracted data per file, but this requires creating a test case with a valid zip bomb that passes CRC checks, and also the one with surpasses the memory and swap limit on a single machine to cause resource exhaustion.

The work is a blocker for a larger security improvement for PyPI (Python Packages Index) that will allow independent researchers to analyze Python wheel dependencies without downloading all wheels from PyPI. #9972 (comment)

I need support, because I have too little money to go on, and I feel too burned out for a full time DevOps/security job as a human resource. I'd like to finish this project, because it has value in my worldview, and I don't want my parents to pay for that, even if it helps to speed up the overall progress.

[uranusjr]

According to python/cpython#80441, CPython is not likely going to change anything in zipfile (other than documentation) for this, so this will need to be addressed in Warehouse instead (as a part of #9972 itself, not a separate security issue). So it seems this issue should be closed since PyPI is not currently affected by this particular security issue.

[astrojuanlu]

(Removed a comment after reading #9972 (comment))

[abitrolly]

Still got no response from https://sos.dev about sponsoring this work, even with inside help from Googlers. Applied for funding from https://internews.org/call-for-expressions-of-interest-strategic-planning-for-open-source-software-sustainability-project-sustain/

[abitrolly]

On Thu, 27 Apr 2023 at 12:23, Juan Luis Cano Rodríguez < ***@***.***> wrote: It's true that PyPI is not *currently* affected by this, but the fact that Zip bombs can be *uploaded* to PyPI blocks #9972 <#9972>, which fixes #8254 <#8254>.

And the zip bomb issue is alone significantly complex to require about 1-3 months of security research and development, which in a company environment would be equal to $10000 monthly rate without taxes, or roughly $20000 with taxes. Ideally in a team of two, so the real cost of proper fix for this CVE is something like $120000.

[abitrolly]

@di @ewjoachim @ewdurbin got funding for this issue. What is legal way to contact PSF to connect you guys? Deadline is today 12th of May for submitting new proposal (may be extended), but I my application should be fine.

I applied this PyPI issue for funded research to the Internews program - https://discourse.sustainoss.org/t/oss-digital-safety-tool-teams-funding-opp/1239. Folks contacted me yesterday and told me that they received funding by US government to support security work for Open Source initiatives. I am based in Belarus, so I am automatically disqualified, but I want you to have funds to close this security gap. @uranusjr knows CVE authors who I believe can do the job (#9972 (comment)).

[j-sal]

@di @ewjoachim @ewdurbin got funding for this issue. What is legal way to contact PSF to connect you guys? Deadline is today 12th of May for submitting new proposal (may be extended), but I my application should be fine.

I applied this PyPI issue for funded research to the Internews program - https://discourse.sustainoss.org/t/oss-digital-safety-tool-teams-funding-opp/1239. Folks contacted me yesterday and told me that they received funding by US government to support security work for Open Source initiatives. I am based in Belarus, so I am automatically disqualified, but I want you to have funds to close this security gap. @uranusjr knows CVE authors who I believe can do the job (#9972 (comment)).

Internews works on a number of tech-related projects with funding from the US Department of State. Among these are this project on supporting Open Source Digital Safety tools. Internews does not disqualify applicants from Belarus, or other countries (in fact this project aims to support diversification of the OSS space), providing that the team/ individual is able to demonstrate a clear link to the original tool team- this is due to the US State Department's regulations that require Internews to fulfil criteria of accountability and transparency. On this occasion, unfortunately Internews was unable to contact other members of the tool team and for this reason it has not been possible to include the PyPi team. Internews will continue to share opportunities with the mentioned forum and others to raise awareness of other Internews opportunities and remain happy to discuss criteria in greater depth.

[woodruffw]

Triaging: I believe this is stale now that #13877 is complete.

[merwok]

You mean #13877 ?