Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 812437 (CVE-2021-40839)

Summary: <dev-python/rencode-1.0.6-r2: infinite loop (CVE-2021-40839)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: arthurzam, maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 813055    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-10 11:37:45 UTC 
CVE-2021-40839

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

Fixed commit is $URL (this information somehow didn't make it into the CVE
description). Unreleased.
Comment 1 Larry the Git Cow gentoo-dev 2021-09-12 16:36:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=384deab9737c204d6c61b06fa96d4e9ab93a18c1

commit 384deab9737c204d6c61b06fa96d4e9ab93a18c1
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2021-09-12 16:36:09 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2021-09-12 16:36:09 +0000

    dev-python/rencode: import fix CVE-2021-40839
    
    Bug: https://bugs.gentoo.org/812437
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 .../files/rencode-1.0.6-fix-CVE-2021-40839.patch   | 34 +++++++++++++++++++++
 dev-python/rencode/rencode-1.0.6-r2.ebuild         | 35 ++++++++++++++++++++++
 2 files changed, 69 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-14 15:35:18 UTC 
Thanks! Please file a stablereq when ready.
Comment 3 Larry the Git Cow gentoo-dev 2021-09-17 14:19:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3eabd85ec4bfd37aab8d28f0f46405c2543953b1

commit 3eabd85ec4bfd37aab8d28f0f46405c2543953b1
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2021-09-17 14:19:07 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2021-09-17 14:19:07 +0000

    dev-python/rencode: drop 1.0.6-r1
    
    Bug: https://bugs.gentoo.org/812437
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-python/rencode/rencode-1.0.6-r1.ebuild | 33 ------------------------------
 1 file changed, 33 deletions(-)
Comment 4 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2021-09-17 14:21:33 UTC 
The new version have been stabilized and old vulnerable version have been removed.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-17 18:57:30 UTC 
Thanks! No GLSA, all done.