939206 – (CVE-2024-6232) <dev-lang/python-{3.8.20,3.9.20,3.10.15,3.11.10,3.12.6,3.13.0_rc2}, dev-python/pypy3_9, <dev-python/pypy3_10-7.3.17_p1: Regular-expression DoS when parsing TarFile headers

Bug 939206 (CVE-2024-6232) - <dev-lang/python-{3.8.20,3.9.20,3.10.15,3.11.10,3.12.6,3.13.0_rc2}, dev-python/pypy3_9, <dev-python/pypy3_10-7.3.17_p1: Regular-expression DoS when parsing TarFile headers

Summary: <dev-lang/python-{3.8.20,3.9.20,3.10.15,3.11.10,3.12.6,3.13.0_rc2}, dev-pytho...

Status:	CONFIRMED

Alias:	CVE-2024-6232

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.cve.org/CVERecord?id=CVE-...
Whiteboard:	A3 [stable]
Keywords:

Depends on:	939207 939208 939209 939279 939283 939213
Blocks:
	Show dependency tree

Reported:	2024-09-07 06:37 UTC by Michał Górny
Modified:	2024-09-08 06:53 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/python/cpython/pull/121286
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2024-09-07 06:37:51 UTC

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during
tarfile.TarFile header parsing are vulnerable to ReDoS via
specifically-crafted tar archives.