Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 812437 (CVE-2021-40839) - <dev-python/rencode-1.0.6-r2: infinite loop (CVE-2021-40839)
Summary: <dev-python/rencode-1.0.6-r2: infinite loop (CVE-2021-40839)
Alias: CVE-2021-40839
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 813055
  Show dependency tree
Reported: 2021-09-10 11:37 UTC by John Helmert III
Modified: 2021-09-17 18:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-09-10 11:37:45 UTC

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

Fixed commit is $URL (this information somehow didn't make it into the CVE
description). Unreleased.
Comment 1 Larry the Git Cow gentoo-dev 2021-09-12 16:36:46 UTC
The bug has been referenced in the following commit(s):

commit 384deab9737c204d6c61b06fa96d4e9ab93a18c1
Author:     Arthur Zamarin <>
AuthorDate: 2021-09-12 16:36:09 +0000
Commit:     Arthur Zamarin <>
CommitDate: 2021-09-12 16:36:09 +0000

    dev-python/rencode: import fix CVE-2021-40839
    Signed-off-by: Arthur Zamarin <>

 .../files/rencode-1.0.6-fix-CVE-2021-40839.patch   | 34 +++++++++++++++++++++
 dev-python/rencode/rencode-1.0.6-r2.ebuild         | 35 ++++++++++++++++++++++
 2 files changed, 69 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-09-14 15:35:18 UTC
Thanks! Please file a stablereq when ready.
Comment 3 Larry the Git Cow gentoo-dev 2021-09-17 14:19:36 UTC
The bug has been referenced in the following commit(s):

commit 3eabd85ec4bfd37aab8d28f0f46405c2543953b1
Author:     Arthur Zamarin <>
AuthorDate: 2021-09-17 14:19:07 +0000
Commit:     Arthur Zamarin <>
CommitDate: 2021-09-17 14:19:07 +0000

    dev-python/rencode: drop 1.0.6-r1
    Signed-off-by: Arthur Zamarin <>

 dev-python/rencode/rencode-1.0.6-r1.ebuild | 33 ------------------------------
 1 file changed, 33 deletions(-)
Comment 4 Arthur Zamarin gentoo-dev 2021-09-17 14:21:33 UTC
The new version have been stabilized and old vulnerable version have been removed.
Comment 5 John Helmert III gentoo-dev Security 2021-09-17 18:57:30 UTC
Thanks! No GLSA, all done.