-
-
Notifications
You must be signed in to change notification settings - Fork 31.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2019-20907] Infinite loop in the tarfile module #83198
Comments
While playing with fuzzing and Python, I stumbled upon an infinite loop in Python's tarfile module: just open the attached file with |
I've attached a minimal tar file which reproduces this. I think the minimum length is 516 bytes. We need a 512 byte PAX format header block as normal. Then we need a pax header which matches the regex in Line 1243 in b26a0db
We use the Line 1271 in b26a0db
while True:
...
pos += length So we can start the block with "0 X=". This makes length=0. So it will increment pos by 0 each loop and loop the same code forever. Nice find. Do you think this denial of service is worth requesting a CVE for? If so, can someone else do it. |
A smaller bug: If instead of 0 you use a large number (> 2^63) e.g. 9999999999999999999 you get |
Hi ! I would like to start contributing to CPython. Can I start working on this issue ? |
Absolutely! But first, you'll need to sign the Contributor License Agreement: https://www.python.org/psf/contrib/contrib-form/ Thank you for your help! |
Thank you. I have signed the CLA agreement. I have pushed my code changes and also written a testcase for this issue |
CVE-2019-20907 has been assigned to this issue. |
Larry and Ned, do you want this fix in the security-only releases you manage? PRs for 3.6 ad 3.7 are ready, should you wish to merge them. |
Yes, please. It's a simple low-risk fix. And 3.5.10rc1 is stuck waiting for a fix anyway. Thanks! |
Thanks, the PRs for 3.7 and 3.6 are now merged. |
Given that a CVE was assigned for this, I think it'd be better if the news were in the 'Security' category and not 'Library'. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: