Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 939206 (CVE-2024-6232)

Summary: <dev-lang/python-{3.8.20,3.9.20,3.10.15,3.11.10,3.12.6,3.13.0_rc2}, dev-python/pypy3_9, <dev-python/pypy3_10-7.3.17_p1: Regular-expression DoS when parsing TarFile headers
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.cve.org/CVERecord?id=CVE-2024-6232
See Also: https://github.com/python/cpython/pull/121286
Whiteboard: A3 [stable]
Package list:
Runtime testing required: ---
Bug Depends on: 939207, 939208, 939209, 939279, 939283, 939213    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-09-07 06:37:51 UTC 
There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during
tarfile.TarFile header parsing are vulnerable to ReDoS via
specifically-crafted tar archives.