bpo-39017 Fix infinite loop in the tarfile module #21454
Merged
Conversation
Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop
|
Could you note the CVE number that got assigned to this flaw? |
Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
Outdated
Show resolved
Hide resolved
Lib/test/test_tarfile.py
Outdated
| def test_length_zero_header(self): | ||
| with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): | ||
| with tarfile.open(support.findfile('recursion.tar')) as tar: | ||
| tar.getmembers() |
bcaller
Jul 14, 2020
Contributor
I think this tar.getmembers() can be replaced with pass since it should never be called. Or you can call tarfile.is_tarfile instead of with tarfile.open.... Feel free to ignore this comment.
I think this tar.getmembers() can be replaced with pass since it should never be called. Or you can call tarfile.is_tarfile instead of with tarfile.open.... Feel free to ignore this comment.
rishi93
Jul 14, 2020
Author
Contributor
Thank you for the comment, I replaced the tar.getmembers() with pass as you suggested
Thank you for the comment, I replaced the tar.getmembers() with pass as you suggested
Add relevant CVE number in inline comments Co-authored-by: Petr Viktorin <encukou@gmail.com>
Replace code that is never called with pass in tarfile testcase
5a8d121
into
python:master
10 checks passed
10 checks passed
bedevere/news
News entry found in Misc/NEWS.d
|
Thank you! |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Jul 15, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121) Co-authored-by: Rishi <rishi_devan@mail.com>
|
GH-21482 is a backport of this pull request to the 3.9 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Jul 15, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121) Co-authored-by: Rishi <rishi_devan@mail.com>
|
GH-21483 is a backport of this pull request to the 3.8 branch. |
|
GH-21484 is a backport of this pull request to the 3.7 branch. |
|
GH-21485 is a backport of this pull request to the 3.6 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Jul 15, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121) Co-authored-by: Rishi <rishi_devan@mail.com>
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Jul 15, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121) Co-authored-by: Rishi <rishi_devan@mail.com>
|
Thank you everyone, for this opportunity |
ned-deily
pushed a commit
that referenced
this pull request
Jul 15, 2020
ned-deily
pushed a commit
that referenced
this pull request
Jul 15, 2020
encukou
added a commit
that referenced
this pull request
Jul 15, 2020
larryhastings
pushed a commit
that referenced
this pull request
Jul 16, 2020
J-Arun-Mani
added a commit
to J-Arun-Mani/cpython
that referenced
this pull request
Jul 21, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
shihai1991
added a commit
to shihai1991/cpython
that referenced
this pull request
Aug 4, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
shihai1991
added a commit
to shihai1991/cpython
that referenced
this pull request
Aug 20, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
xzy3
pushed a commit
to xzy3/cpython
that referenced
this pull request
Oct 18, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
chrisburr
added a commit
to chrisburr/cpython
that referenced
this pull request
Dec 9, 2020
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop
https://bugs.python.org/issue39017