From 0640f5087d6bcaf1bedcd4c63e4720d682f4d77c Mon Sep 17 00:00:00 2001 From: Rishi Date: Wed, 15 Jul 2020 13:51:00 +0200 Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) Co-authored-by: Rishi --- Lib/tarfile.py | 2 ++ Lib/test/recursion.tar | Bin 0 -> 516 bytes Lib/test/test_tarfile.py | 7 +++++++ .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + 4 files changed, 10 insertions(+) create mode 100644 Lib/test/recursion.tar create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst diff --git a/Lib/tarfile.py b/Lib/tarfile.py index 62d22150f50da5..2ea47978ff6f1c 100755 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -1231,6 +1231,8 @@ def _proc_pax(self, tarfile): length, keyword = match.groups() length = int(length) + if length == 0: + raise InvalidHeaderError("invalid header") value = buf[match.end(2) + 1:match.start(1) + length - 1] # Normally, we could just use "utf-8" as the encoding and "strict" diff --git a/Lib/test/recursion.tar b/Lib/test/recursion.tar new file mode 100644 index 0000000000000000000000000000000000000000..b8237251964983f54ed1966297e887636cd0c5f4 GIT binary patch literal 516 zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e I1_}|j06>QaCIA2c literal 0 HcmV?d00001 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py index 4cd7d5370f58d6..573be812eaa179 100644 --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py @@ -395,6 +395,13 @@ def test_premature_end_of_archive(self): with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"): tar.extractfile(t).read() + def test_length_zero_header(self): + # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail + # with an exception + with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): + with tarfile.open(support.findfile('recursion.tar')) as tar: + pass + class MiscReadTestBase(CommonReadTest): def requires_name_attribute(self): pass diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst new file mode 100644 index 00000000000000..ad26676f8b8563 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst @@ -0,0 +1 @@ +Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy