Headline
CVE-2019-20907: Issue 39017: [CVE-2019-20907] Infinite loop in the tarfile module
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
process
Status:
closed
Resolution:
fixed
Dependencies:
Superseder:
Assigned To:
Nosy List:
bc, ethan.furman, jvoisin, larry, lars.gustaebel, mgorny, miss-islington, ned.deily, petr.viktorin, rishi93, serhiy.storchaka
Priority:
normal
Keywords:
patch
Created on 2019-12-10 16:19 by jvoisin, last changed 2022-04-11 14:59 by admin. This issue is now closed.
Files
File name
Uploaded
Description
Edit
timeout-a52710a313fdb35fb428c3399277cb640fe2f686
jvoisin, 2019-12-10 16:19
Infinite loop reproducer.
recursion.tar
bc, 2020-07-08 19:37
Minimal infinite loop reproducer
Pull Requests
URL
Status
Linked
Edit
PR 21454
merged
rishi93, 2020-07-12 22:04
PR 21482
merged
miss-islington, 2020-07-15 11:51
PR 21483
merged
miss-islington, 2020-07-15 11:51
PR 21484
merged
miss-islington, 2020-07-15 11:51
PR 21485
merged
miss-islington, 2020-07-15 11:51
PR 21489
merged
petr.viktorin, 2020-07-15 15:29
Messages (17)
msg358200 - (view)
Author: jvoisin (jvoisin)
Date: 2019-12-10 16:19
While playing with fuzzing and Python, I stumbled upon an infinite loop in Python’s tarfile module: just open the attached file with `tarfile.open(‘timeout-a52710a313fdb35fb428c3399277cb640fe2f686’)`, and Python will be endlessly stuck in the `_proc_pax` function in tarfile.py, likely due to a missing check of `length` being strictly superior to zero.
msg373339 - (view)
Author: Ben Caller (bc) *
Date: 2020-07-08 19:37
I’ve attached a minimal tar file which reproduces this. I think the minimum length is 516 bytes.
We need a 512 byte PAX format header block as normal.
Then we need a pax header which matches the regex in https://github.com/python/cpython/blob/b26a0db8ea2de3a8a8e4b40e69fc8642c7d7cb68/Lib/tarfile.py#L1243
length, keyword = re.compile(br"(\\d+) (\[^=\]+)=").groups()
We use the `length` variable to iterate: https://github.com/python/cpython/blob/b26a0db8ea2de3a8a8e4b40e69fc8642c7d7cb68/Lib/tarfile.py#L1271
while True:
...
pos += length
So we can start the block with "0 X=". This makes length=0. So it will increment pos by 0 each loop and loop the same code forever.
Nice find.
Do you think this denial of service is worth requesting a CVE for? If so, can someone else do it.
msg373341 - (view)
Author: Ben Caller (bc) *
Date: 2020-07-08 20:03
A smaller bug: If instead of 0 you use a large number (> 2^63) e.g. 9999999999999999999 you get `OverflowError: Python int too large to convert to C ssize_t` rather than the expected `tarfile.ReadError` regardless of errorlevel.
msg373468 - (view)
Author: Rajarishi Devarajan (rishi93) *
Date: 2020-07-10 14:13
Hi ! I would like to start contributing to CPython. Can I start working on this issue ?
msg373473 - (view)
Author: Ethan Furman (ethan.furman) *
Date: 2020-07-10 17:01
Absolutely!
But first, you’ll need to sign the Contributor License Agreement:
https://www.python.org/psf/contrib/contrib-form/
Thank you for your help!
msg373577 - (view)
Author: Rajarishi Devarajan (rishi93) *
Date: 2020-07-12 22:10
Thank you. I have signed the CLA agreement. I have pushed my code changes and also written a testcase for this issue
msg373632 - (view)
Author: jvoisin (jvoisin)
Date: 2020-07-14 09:29
CVE-2019-20907 has been assigned to this issue.
msg373681 - (view)
Author: Petr Viktorin (petr.viktorin) *
Date: 2020-07-15 11:51
New changeset 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4 by Rishi in branch 'master’: bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) https://github.com/python/cpython/commit/5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4
msg373683 - (view)
Author: Petr Viktorin (petr.viktorin) *
Date: 2020-07-15 12:20
Larry and Ned, do you want this fix in the security-only releases you manage?
PRs for 3.6 ad 3.7 are ready, should you wish to merge them.
msg373684 - (view)
Author: miss-islington (miss-islington)
Date: 2020-07-15 12:30
New changeset f3232294ee695492f43d424cc6969d018d49861d by Miss Islington (bot) in branch '3.9’: [3.9] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21482) https://github.com/python/cpython/commit/f3232294ee695492f43d424cc6969d018d49861d
msg373685 - (view)
Author: miss-islington (miss-islington)
Date: 2020-07-15 12:30
New changeset c55479556db015f48fc8bbca17f64d3e65598559 by Miss Islington (bot) in branch '3.8’: [3.8] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21483) https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559
msg373686 - (view)
Author: Larry Hastings (larry) *
Date: 2020-07-15 12:34
Yes, please. It’s a simple low-risk fix. And 3.5.10rc1 is stuck waiting for a fix anyway. Thanks!
msg373687 - (view)
Author: Ned Deily (ned.deily) *
Date: 2020-07-15 12:35
New changeset 79c6b602efc9a906c8496f3d5f4d54c54b48fa06 by Miss Islington (bot) in branch '3.7’: bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21484) https://github.com/python/cpython/commit/79c6b602efc9a906c8496f3d5f4d54c54b48fa06
msg373688 - (view)
Author: Ned Deily (ned.deily) *
Date: 2020-07-15 12:36
New changeset 47a2955589bdb1a114d271496ff803ad73f954b8 by Miss Islington (bot) in branch '3.6’: bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485) https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8
msg373689 - (view)
Author: Ned Deily (ned.deily) *
Date: 2020-07-15 12:37
Thanks, the PRs for 3.7 and 3.6 are now merged.
msg373764 - (view)
Author: Larry Hastings (larry) *
Date: 2020-07-16 19:48
New changeset cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84 by Petr Viktorin in branch '3.5’: [3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21489) https://github.com/python/cpython/commit/cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84
msg373972 - (view)
Author: Michał Górny (mgorny) *
Date: 2020-07-19 21:13
Given that a CVE was assigned for this, I think it’d be better if the news were in the ‘Security’ category and not 'Library’.
History
Date
User
Action
Args
2022-04-11 14:59:24
admin
set
github: 83198
2020-08-03 10:07:01
vstinner
set
title: Infinite loop in the tarfile module -> [CVE-2019-20907] Infinite loop in the tarfile module
2020-07-19 21:13:23
mgorny
set
nosy: + mgorny
messages: + msg373972
2020-07-16 19:49:38
larry
set
status: open -> closed
resolution: fixed
stage: patch review -> resolved
2020-07-16 19:48:17
larry
set
messages: + msg373764
2020-07-15 15:29:04
petr.viktorin
set
pull_requests: + pull_request20632
2020-07-15 12:37:56
ned.deily
set
messages: + msg373689
versions: + Python 3.5, Python 3.6, Python 3.8, Python 3.9, Python 3.10
2020-07-15 12:36:39
ned.deily
set
messages: + msg373688
2020-07-15 12:35:12
ned.deily
set
messages: + msg373687
2020-07-15 12:34:22
larry
set
messages: + msg373686
2020-07-15 12:30:57
miss-islington
set
messages: + msg373685
2020-07-15 12:30:36
miss-islington
set
nosy: + miss-islington
messages: + msg373684
2020-07-15 12:20:00
petr.viktorin
set
nosy: + larry, ned.deily, - miss-islington
messages: + msg373683
2020-07-15 11:51:48
miss-islington
set
pull_requests: + pull_request20629
2020-07-15 11:51:41
miss-islington
set
pull_requests: + pull_request20628
2020-07-15 11:51:33
miss-islington
set
pull_requests: + pull_request20627
2020-07-15 11:51:26
miss-islington
set
nosy: + miss-islington
pull_requests: + pull_request20626
2020-07-15 11:51:08
petr.viktorin
set
nosy: + petr.viktorin
messages: + msg373681
2020-07-14 09:29:26
jvoisin
set
messages: + msg373632
2020-07-12 22:10:05
rishi93
set
messages: + msg373577
2020-07-12 22:04:37
rishi93
set
keywords: + patch
stage: test needed -> patch review
pull_requests: + pull_request20602
2020-07-10 17:01:05
ethan.furman
set
messages: + msg373473
2020-07-10 14:13:26
rishi93
set
messages: + msg373468
2020-07-10 10:56:27
rishi93
set
nosy: + rishi93
2020-07-08 20:03:20
bc
set
messages: + msg373341
2020-07-08 19:37:57
bc
set
files: + recursion.tar
nosy: + bc
messages: + msg373339
2019-12-10 21:37:50
ethan.furman
set
stage: test needed
2019-12-10 17:20:30
serhiy.storchaka
set
nosy: + lars.gustaebel, serhiy.storchaka
2019-12-10 16:19:56
jvoisin
create
Related news
Ubuntu Security Notice 6891-1 - It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 18.04 LTS. It was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).