Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 939206 (CVE-2024-6232) - <dev-lang/python-{3.8.20,3.9.20,3.10.15,3.11.10,3.12.6,3.13.0_rc2}, dev-python/pypy3_9, <dev-python/pypy3_10-7.3.17_p1: Regular-expression DoS when parsing TarFile headers
Summary: <dev-lang/python-{3.8.20,3.9.20,3.10.15,3.11.10,3.12.6,3.13.0_rc2}, dev-pytho...
Status: CONFIRMED
Alias: CVE-2024-6232
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.cve.org/CVERecord?id=CVE-...
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 939207 939208 939209 939213 939279 939283 939863
Blocks:
  Show dependency tree
 
Reported: 2024-09-07 06:37 UTC by Michał Górny
Modified: 2024-10-05 09:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-09-07 06:37:51 UTC
There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during
tarfile.TarFile header parsing are vulnerable to ReDoS via
specifically-crafted tar archives.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-10-05 08:28:37 UTC
cleanup done.