Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 732498 (CVE-2019-20907)

Summary: <dev-lang/python-{2.7.18-r1, 3.6.11-r2, 3.7.8-r2, 3.8.4-r1}: Infinite loop DoS (CVE-2019-20907)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal Keywords: CC-ARCHES
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.python.org/issue39017
Whiteboard: A3 [glsa+ cleanup cve]
Package list:
dev-lang/python-2.7.18-r1 dev-lang/python-3.6.11-r2 dev-lang/python-3.7.8-r2 dev-lang/python-3.8.4-r1
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 728668    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-13 19:06:09 UTC
CVE-2019-20907:

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Issue: https://bugs.python.org/issue39017
Patch: https://github.com/python/cpython/pull/21454
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 03:53:20 UTC
Curious enough, upstream didn't record this as security fix in news.  Nevertheless, I'll do a backport.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-19 04:18:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49adaa965248b1b8ac349516c8b3b88b47dedbea

commit 49adaa965248b1b8ac349516c8b3b88b47dedbea
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-19 03:52:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-19 04:18:34 +0000

    dev-lang/python: Backport security fixes
    
    Bug: https://bugs.gentoo.org/732498
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                     |   5 +
 dev-lang/python/python-2.7.18-r1.ebuild      | 366 +++++++++++++++++++++++++++
 dev-lang/python/python-3.6.11-r2.ebuild      | 357 ++++++++++++++++++++++++++
 dev-lang/python/python-3.7.8-r2.ebuild       | 343 +++++++++++++++++++++++++
 dev-lang/python/python-3.8.4-r1.ebuild       | 346 +++++++++++++++++++++++++
 dev-lang/python/python-3.9.0_beta4-r1.ebuild | 323 +++++++++++++++++++++++
 6 files changed, 1740 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2020-07-19 12:18:34 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-07-19 12:20:07 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-07-19 12:21:18 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-07-19 12:22:59 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-07-20 06:51:18 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-07-20 06:52:42 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-07-20 06:53:12 UTC
sparc stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 20:40:44 UTC
arm64 stable
Comment 11 Rolf Eike Beer archtester 2020-07-22 15:32:22 UTC
hppa stable
Comment 12 NATTkA bot gentoo-dev 2020-07-22 15:32:47 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-22 16:42:58 UTC
Thanks all. Please cleanup.
Comment 14 Larry the Git Cow gentoo-dev 2020-08-02 02:46:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b56771127f16adedc71c66627bd4a5b7804af9

commit b6b56771127f16adedc71c66627bd4a5b7804af9
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-08-02 02:45:31 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-08-02 02:46:01 +0000

    dev-lang/python: drop vulnerable
    
    Bug: https://bugs.gentoo.org/732498
    Bug: https://bugs.gentoo.org/728668
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-lang/python/Manifest                |  12 --
 dev-lang/python/python-2.7.18.ebuild    | 366 --------------------------------
 dev-lang/python/python-3.6.10-r2.ebuild | 357 -------------------------------
 dev-lang/python/python-3.6.11-r1.ebuild | 357 -------------------------------
 dev-lang/python/python-3.7.7-r2.ebuild  | 343 ------------------------------
 dev-lang/python/python-3.7.8-r1.ebuild  | 343 ------------------------------
 dev-lang/python/python-3.8.2-r2.ebuild  | 346 ------------------------------
 dev-lang/python/python-3.8.3-r1.ebuild  | 346 ------------------------------
 dev-lang/python/python-3.8.4.ebuild     | 346 ------------------------------
 9 files changed, 2816 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-08-02 03:21:49 UTC
This issue was resolved and addressed in
 GLSA 202008-01 at https://security.gentoo.org/glsa/202008-01
by GLSA coordinator Sam James (sam_c).