CVE-2021-40839 The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory. Fixed commit is $URL (this information somehow didn't make it into the CVE description). Unreleased.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=384deab9737c204d6c61b06fa96d4e9ab93a18c1 commit 384deab9737c204d6c61b06fa96d4e9ab93a18c1 Author: Arthur Zamarin <arthurzam@gentoo.org> AuthorDate: 2021-09-12 16:36:09 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2021-09-12 16:36:09 +0000 dev-python/rencode: import fix CVE-2021-40839 Bug: https://bugs.gentoo.org/812437 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> .../files/rencode-1.0.6-fix-CVE-2021-40839.patch | 34 +++++++++++++++++++++ dev-python/rencode/rencode-1.0.6-r2.ebuild | 35 ++++++++++++++++++++++ 2 files changed, 69 insertions(+)
Thanks! Please file a stablereq when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3eabd85ec4bfd37aab8d28f0f46405c2543953b1 commit 3eabd85ec4bfd37aab8d28f0f46405c2543953b1 Author: Arthur Zamarin <arthurzam@gentoo.org> AuthorDate: 2021-09-17 14:19:07 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2021-09-17 14:19:07 +0000 dev-python/rencode: drop 1.0.6-r1 Bug: https://bugs.gentoo.org/812437 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> dev-python/rencode/rencode-1.0.6-r1.ebuild | 33 ------------------------------ 1 file changed, 33 deletions(-)
The new version have been stabilized and old vulnerable version have been removed.
Thanks! No GLSA, all done.