The CVE record currently says:
Versions: affected from 0 before 3.13.0rc2
and points to https://github.com/python/cpython/issues/121285 which provides
this slightly expanded description:
"Today the tarfile module parsing of header values allows for backtracking
when parsing header values. Headers have a well-known format that doesn't
require backtracking to parse reliably, the new method of parsing will only
require a single pass over a byte stream."
and has links to pull requests for Python versions 3.8 through 3.13.
-------- Forwarded Message --------
Subject: [Security-announce][CVE-2024-6232] Regular-expression DoS when parsing
TarFile headers
Date: Tue, 3 Sep 2024 07:30:02 -0500
From: Seth Larson <s...@python.org>
Reply-To: security-...@python.org
To: security-annou...@python.org
There is a MEDIUM severity vulnerability affecting CPython.
Regular expressions that allowed excessive backtracking during tarfile.TarFile
header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
Please see the linked CVE ID for the latest information on affected versions:
* https://www.cve.org/CVERecord?id=CVE-2024-6232
* https://github.com/python/cpython/pull/121286
_______________________________________________
Security-announce mailing list -- security-annou...@python.org
https://mail.python.org/mailman3/lists/security-announce.python.org/
