From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001 From: Rajarishi Devarajan Date: Sun, 12 Jul 2020 23:47:42 +0200 Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop --- Lib/tarfile.py | 2 ++ Lib/test/recursion.tar | Bin 0 -> 516 bytes Lib/test/test_tarfile.py | 5 +++++ 3 files changed, 7 insertions(+) create mode 100644 Lib/test/recursion.tar diff --git a/Lib/tarfile.py b/Lib/tarfile.py index e2b60532f693d4..6769066cabd6fc 100755 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -1249,6 +1249,8 @@ def _proc_pax(self, tarfile): length, keyword = match.groups() length = int(length) + if length == 0: + raise InvalidHeaderError("invalid header") value = buf[match.end(2) + 1:match.start(1) + length - 1] # Normally, we could just use "utf-8" as the encoding and "strict" diff --git a/Lib/test/recursion.tar b/Lib/test/recursion.tar new file mode 100644 index 0000000000000000000000000000000000000000..b8237251964983f54ed1966297e887636cd0c5f4 GIT binary patch literal 516 zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e I1_}|j06>QaCIA2c literal 0 HcmV?d00001 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py index d60d35b5be04ae..1f31a8f7007660 100644 --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py @@ -429,6 +429,11 @@ def test_premature_end_of_archive(self): with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"): tar.extractfile(t).read() + def test_length_zero_header(self): + with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): + with tarfile.open(support.findfile('recursion.tar')) as tar: + tar.getmembers() + class MiscReadTestBase(CommonReadTest): def requires_name_attribute(self): pass From c43a5afcf9cc2dab2410c35632f66e055a938c02 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Sun, 12 Jul 2020 22:16:59 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst new file mode 100644 index 00000000000000..10d98f759ac87f --- /dev/null +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst @@ -0,0 +1 @@ +Add check for length = 0 to avoid infinite loop inside _proc_pax function in tarfile module \ No newline at end of file From 5f7b94574db21086dc2693210a975def7cc058e3 Mon Sep 17 00:00:00 2001 From: Rishi Date: Tue, 14 Jul 2020 12:39:14 +0200 Subject: [PATCH 3/4] Apply suggestions from code review Add relevant CVE number in inline comments Co-authored-by: Petr Viktorin --- Lib/test/test_tarfile.py | 2 ++ .../next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py index 1f31a8f7007660..827ffaf3273b30 100644 --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py @@ -430,6 +430,8 @@ def test_premature_end_of_archive(self): tar.extractfile(t).read() def test_length_zero_header(self): + # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail + # with an exception with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): with tarfile.open(support.findfile('recursion.tar')) as tar: tar.getmembers() diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst index 10d98f759ac87f..ad26676f8b8563 100644 --- a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst @@ -1 +1 @@ -Add check for length = 0 to avoid infinite loop inside _proc_pax function in tarfile module \ No newline at end of file +Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). From 54084a8beef62fa0ac443618be2352f67f2bb8c3 Mon Sep 17 00:00:00 2001 From: rishi93 Date: Tue, 14 Jul 2020 12:45:48 +0200 Subject: [PATCH 4/4] bpo-39017: Fix infinite loop in the tarfile module Replace code that is never called with pass in tarfile testcase --- Lib/test/test_tarfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py index 827ffaf3273b30..3ddeb97f5268fe 100644 --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py @@ -434,7 +434,7 @@ def test_length_zero_header(self): # with an exception with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): with tarfile.open(support.findfile('recursion.tar')) as tar: - tar.getmembers() + pass class MiscReadTestBase(CommonReadTest): def requires_name_attribute(self): pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy