Python Zipfile Module ZIP64 End-of-Central-Directory Locator Offset Validation Vulnerability

A vulnerability exists in the Python 'zipfile' module regarding the handling of ZIP64 End-of-Central-Directory (EOCD) Locator records. The module fails to validate the offset values in these records, which are crucial for locating the corresponding ZIP64 EOCD records. Instead, it incorrectly assumes that the ZIP64 EOCD record is the one preceding it in the archive. This flaw can be exploited to create ZIP files that the 'zipfile' module processes differently than other ZIP handling implementations. The issue arises in Python versions 3.9 through 3.14, with the exception of 3.10, where the vulnerability has been addressed.

Impact

Exploitation of this vulnerability can lead to inconsistencies in how ZIP archives are processed, potentially causing errors or unexpected behavior when handling ZIP files that include ZIP64 extensions.

Reproduction

The vulnerability can be reproduced by creating a ZIP file that includes a ZIP64 EOCD Locator record with an offset value that does not correspond to the actual location of the ZIP64 EOCD record. When this ZIP file is processed by the 'zipfile' module, it will incorrectly assume the ZIP64 EOCD record is the one before it in the archive, leading to a misinterpretation of the archive's contents.

Remediation

Users can update to Python versions 3.14 or 3.10 to address this vulnerability. Instructions for updating can be found in the Python documentation.