Bug 1856481 (CVE-2019-20907)

Summary: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, bdettelb, carl, charleryals, cstratak, dmalcolm, extras-orphan, hhorak, jeffrey.ness, jorton, kevin, manisandro, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, steve.traylen, thrnciar, TicoTimo, tomckay, tomspur, torsava, tvainio, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python. In Lib/tarfile.py an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 20:21:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1856482, 1856483, 1856484, 1856485, 1856486, 1856488, 1856489, 1856490, 1856491, 1856492, 1856493, 1856536, 1856537, 1856538, 1856539, 1856540, 1856541, 1856542, 1856543, 1856544, 1856545, 1856546, 1856647, 1856648, 1856649, 1856650, 1856651, 1856652, 1882666, 1885296, 1916667, 1916668, 1916669    
Bug Blocks: 1856487    

Description Guilherme de Almeida Suckevicz 2020-07-13 18:33:53 UTC
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Reference:
https://bugs.python.org/issue39017

Upstream commit:
https://github.com/python/cpython/pull/21454

Comment 1 Guilherme de Almeida Suckevicz 2020-07-13 18:35:14 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1856489]


Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1856485]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1856486]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1856488]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1856483]
Affects: fedora-all [bug 1856491]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1856490]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1856492]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1856493]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1856484]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1856482]

Comment 3 Todd Cullum 2020-07-13 21:42:41 UTC
Mitigation:

This flaw can be mitigated by not opening untrusted files with tarfile.

Comment 6 Todd Cullum 2020-07-13 21:48:04 UTC
Statement:

A service is vulnerable if it uses python's tarfile module to open untrusted tar files. If an attacker is able to submit a crafted tar file to a service which uses the tarfile module to open it, an infinite loop will be executed, potentially causing a denial of service. The tarfile module is included with python.

Comment 7 Todd Cullum 2020-07-13 22:00:35 UTC
Flaw summary:

In Lib/tarfile.py's _proc_pax() function, there's a while True loop which relies upon the value of the pos variable in order to exit the loop. This variable is incremented with `pos += length` but it's possible for length to be 0, thus the loop will never exit. It's possible for length to be set to 0 because the function uses regex to parse the length like: (length, keyword, value). The patch raises an exception if the length variable is 0 and adds a test.

Comment 10 Miro HronĨok 2020-07-16 11:51:26 UTC
Tomas, Joshua, is the updated summary of all the bugzillas scripted? Can the script be updated to use the *This is a minor update (do not send email)* option?

Comment 20 errata-xmlrpc 2020-10-19 18:05:43 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285

Comment 21 Product Security DevOps Team 2020-10-19 20:21:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20907

Comment 22 errata-xmlrpc 2020-10-20 16:00:44 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273

Comment 25 errata-xmlrpc 2020-10-20 20:00:08 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299

Comment 26 errata-xmlrpc 2020-11-04 00:51:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433

Comment 27 errata-xmlrpc 2020-11-04 02:35:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641

Comment 28 errata-xmlrpc 2020-11-04 02:42:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4654 https://access.redhat.com/errata/RHSA-2020:4654

Comment 31 errata-xmlrpc 2020-11-10 12:58:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5009 https://access.redhat.com/errata/RHSA-2020:5009

Comment 32 errata-xmlrpc 2020-11-10 12:59:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5010 https://access.redhat.com/errata/RHSA-2020:5010

Comment 34 errata-xmlrpc 2021-02-16 08:36:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0528 https://access.redhat.com/errata/RHSA-2021:0528

Comment 35 errata-xmlrpc 2021-03-09 09:19:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:0761 https://access.redhat.com/errata/RHSA-2021:0761

Comment 36 errata-xmlrpc 2021-03-16 14:54:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0881 https://access.redhat.com/errata/RHSA-2021:0881