CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. Issue: https://bugs.python.org/issue39017 Patch: https://github.com/python/cpython/pull/21454
Curious enough, upstream didn't record this as security fix in news. Nevertheless, I'll do a backport.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49adaa965248b1b8ac349516c8b3b88b47dedbea commit 49adaa965248b1b8ac349516c8b3b88b47dedbea Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-19 03:52:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-19 04:18:34 +0000 dev-lang/python: Backport security fixes Bug: https://bugs.gentoo.org/732498 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 5 + dev-lang/python/python-2.7.18-r1.ebuild | 366 +++++++++++++++++++++++++++ dev-lang/python/python-3.6.11-r2.ebuild | 357 ++++++++++++++++++++++++++ dev-lang/python/python-3.7.8-r2.ebuild | 343 +++++++++++++++++++++++++ dev-lang/python/python-3.8.4-r1.ebuild | 346 +++++++++++++++++++++++++ dev-lang/python/python-3.9.0_beta4-r1.ebuild | 323 +++++++++++++++++++++++ 6 files changed, 1740 insertions(+)
amd64 stable
arm stable
ppc64 stable
x86 stable
ppc stable
s390 stable
sparc stable
arm64 stable
hppa stable
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Thanks all. Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b56771127f16adedc71c66627bd4a5b7804af9 commit b6b56771127f16adedc71c66627bd4a5b7804af9 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-08-02 02:45:31 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-08-02 02:46:01 +0000 dev-lang/python: drop vulnerable Bug: https://bugs.gentoo.org/732498 Bug: https://bugs.gentoo.org/728668 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-lang/python/Manifest | 12 -- dev-lang/python/python-2.7.18.ebuild | 366 -------------------------------- dev-lang/python/python-3.6.10-r2.ebuild | 357 ------------------------------- dev-lang/python/python-3.6.11-r1.ebuild | 357 ------------------------------- dev-lang/python/python-3.7.7-r2.ebuild | 343 ------------------------------ dev-lang/python/python-3.7.8-r1.ebuild | 343 ------------------------------ dev-lang/python/python-3.8.2-r2.ebuild | 346 ------------------------------ dev-lang/python/python-3.8.3-r1.ebuild | 346 ------------------------------ dev-lang/python/python-3.8.4.ebuild | 346 ------------------------------ 9 files changed, 2816 deletions(-)
This issue was resolved and addressed in GLSA 202008-01 at https://security.gentoo.org/glsa/202008-01 by GLSA coordinator Sam James (sam_c).