[CVE-2019-20907] Infinite loop in the tarfile module #83198
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
assignee = None closed_at = <Date 2020-07-16.19:49:38.415> created_at = <Date 2019-12-10.16:19:56.633> labels = ['type-security', '3.7', '3.8', '3.9', '3.10'] title = '[CVE-2019-20907] Infinite loop in the tarfile module' updated_at = <Date 2020-08-03.10:07:01.350> user = 'https://bugs.python.org/jvoisin'
activity = <Date 2020-08-03.10:07:01.350> actor = 'vstinner' assignee = 'none' closed = True closed_date = <Date 2020-07-16.19:49:38.415> closer = 'larry' components =  creation = <Date 2019-12-10.16:19:56.633> creator = 'jvoisin' dependencies =  files = ['48768', '49309'] hgrepos =  issue_num = 39017 keywords = ['patch'] message_count = 17.0 messages = ['358200', '373339', '373341', '373468', '373473', '373577', '373632', '373681', '373683', '373684', '373685', '373686', '373687', '373688', '373689', '373764', '373972'] nosy_count = 11.0 nosy_names = ['lars.gustaebel', 'larry', 'ned.deily', 'petr.viktorin', 'ethan.furman', 'mgorny', 'serhiy.storchaka', 'miss-islington', 'bc', 'jvoisin', 'rishi93'] pr_nums = ['21454', '21482', '21483', '21484', '21485', '21489'] priority = 'normal' resolution = 'fixed' stage = 'resolved' status = 'closed' superseder = None type = 'security' url = 'https://bugs.python.org/issue39017' versions = ['Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']
The text was updated successfully, but these errors were encountered:
While playing with fuzzing and Python, I stumbled upon an infinite loop in Python's tarfile module: just open the attached file with
I've attached a minimal tar file which reproduces this. I think the minimum length is 516 bytes.
We need a 512 byte PAX format header block as normal.
Then we need a pax header which matches the regex in
We use the
while True: ... pos += length
So we can start the block with "0 X=". This makes length=0. So it will increment pos by 0 each loop and loop the same code forever.
Do you think this denial of service is worth requesting a CVE for? If so, can someone else do it.