关键信息 漏洞类型: ZIP parser confusion attacks 影响范围: Python package installers and inspectors 原因: Popular installer has a different extraction behavior compared to the standard library module PyPI的措施: - Rejecting ZIP archives with invalid record and framing information - Rejecting ZIP archives with duplicate filenames in Local File and Central Directory headers - Rejecting ZIP archives where files included in Local File and Central Directory headers don't match - Rejecting ZIP archives with trailing data or multiple End of Central Directory headers - Rejecting ZIP archives with incorrect End of Central Directory Locator values 用户建议: - Ensure your installer tools are up to date - Update your own build process or report the issue to your build tool if applicable - Ensure that your ZIP implementation follows the ZIP standard and checks the Central Directory before proceeding with decompression