[issue39017] Infinite loop in the tarfile module

[Michał Górny]

Michał Górny  added the comment:

Given that a CVE was assigned for this, I think it'd be better if the news were 
in the 'Security' category and not 'Library'.

--
nosy: +mgorny

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Larry Hastings]

Change by Larry Hastings :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Larry Hastings]

Larry Hastings  added the comment:


New changeset cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84 by Petr Viktorin in 
branch '3.5':
[3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21489)
https://github.com/python/cpython/commit/cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Petr Viktorin]

Change by Petr Viktorin :


--
pull_requests: +20632
pull_request: https://github.com/python/cpython/pull/21489

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Ned Deily]

Ned Deily  added the comment:

Thanks, the PRs for 3.7 and 3.6 are now merged.

--
versions: +Python 3.10, Python 3.5, Python 3.6, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Ned Deily]

Ned Deily  added the comment:


New changeset 47a2955589bdb1a114d271496ff803ad73f954b8 by Miss Islington (bot) 
in branch '3.6':
bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485)
https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Ned Deily]

Ned Deily  added the comment:


New changeset 79c6b602efc9a906c8496f3d5f4d54c54b48fa06 by Miss Islington (bot) 
in branch '3.7':
bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21484)
https://github.com/python/cpython/commit/79c6b602efc9a906c8496f3d5f4d54c54b48fa06


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Larry Hastings]

Larry Hastings  added the comment:

Yes, please.  It's a simple low-risk fix.  And 3.5.10rc1 is stuck waiting for a 
fix anyway.  Thanks!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[miss-islington]

miss-islington  added the comment:


New changeset c55479556db015f48fc8bbca17f64d3e65598559 by Miss Islington (bot) 
in branch '3.8':
[3.8] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21483)
https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[miss-islington]

miss-islington  added the comment:


New changeset f3232294ee695492f43d424cc6969d018d49861d by Miss Islington (bot) 
in branch '3.9':
[3.9] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21482)
https://github.com/python/cpython/commit/f3232294ee695492f43d424cc6969d018d49861d


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Petr Viktorin]

Petr Viktorin  added the comment:

Larry and Ned, do you want this fix in the security-only releases you manage?

PRs for 3.6 ad 3.7 are ready, should you wish to merge them.

--
nosy: +larry, ned.deily -miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[miss-islington]

Change by miss-islington :


--
pull_requests: +20629
pull_request: https://github.com/python/cpython/pull/21485

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[miss-islington]

Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 7.0 -> 8.0
pull_requests: +20626
pull_request: https://github.com/python/cpython/pull/21482

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[miss-islington]

Change by miss-islington :


--
pull_requests: +20628
pull_request: https://github.com/python/cpython/pull/21484

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[miss-islington]

Change by miss-islington :


--
pull_requests: +20627
pull_request: https://github.com/python/cpython/pull/21483

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Petr Viktorin]

Petr Viktorin  added the comment:


New changeset 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4 by Rishi in branch 
'master':
bpo-39017: Avoid infinite loop in the tarfile module (GH-21454)
https://github.com/python/cpython/commit/5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4


--
nosy: +petr.viktorin

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[jvoisin]

jvoisin  added the comment:

CVE-2019-20907 has been assigned to this issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Rishi]

Rishi  added the comment:

Thank you. I have signed the CLA agreement. I have pushed my code changes and 
also written a testcase for this issue

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Rishi]

Change by Rishi :


--
keywords: +patch
pull_requests: +20602
stage: test needed -> patch review
pull_request: https://github.com/python/cpython/pull/21454

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Ethan Furman]

Ethan Furman  added the comment:

Absolutely!

But first, you'll need to sign the Contributor License Agreement:

  https://www.python.org/psf/contrib/contrib-form/

Thank you for your help!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Rishi]

Rishi  added the comment:

Hi ! I would like to start contributing to CPython. Can I start working on this 
issue ?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Rishi]

Change by Rishi :


--
nosy: +rishi93

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Ben Caller]

Ben Caller  added the comment:

A smaller bug: If instead of 0 you use a large number (> 2^63) e.g. 
999 you get `OverflowError: Python int too large to convert to 
C ssize_t` rather than the expected `tarfile.ReadError` regardless of 
errorlevel.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Ben Caller]

Ben Caller  added the comment:

I've attached a minimal tar file which reproduces this. I think the minimum 
length is 516 bytes.

We need a 512 byte PAX format header block as normal.

Then we need a pax header which matches the regex in 
https://github.com/python/cpython/blob/b26a0db8ea2de3a8a8e4b40e69fc8642c7d7cb68/Lib/tarfile.py#L1243

length, keyword = re.compile(br"(\d+) ([^=]+)=").groups()

We use the `length` variable to iterate:
https://github.com/python/cpython/blob/b26a0db8ea2de3a8a8e4b40e69fc8642c7d7cb68/Lib/tarfile.py#L1271

while True:
...
pos += length

So we can start the block with "0 X=". This makes length=0. So it will 
increment pos by 0 each loop and loop the same code forever.

Nice find.

Do you think this denial of service is worth requesting a CVE for? If so, can 
someone else do it.

--
nosy: +bc
Added file: https://bugs.python.org/file49309/recursion.tar

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Ethan Furman]

Change by Ethan Furman :


--
stage:  -> test needed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[Serhiy Storchaka]

Change by Serhiy Storchaka :


--
nosy: +lars.gustaebel, serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

[jvoisin]

New submission from jvoisin :

While playing with fuzzing and Python, I stumbled upon an infinite loop in 
Python's tarfile module: just open the attached file with 
`tarfile.open('timeout-a52710a313fdb35fb428c3399277cb640fe2f686')`, and Python 
will be endlessly stuck in the `_proc_pax` function in tarfile.py, likely due 
to a missing check of `length` being strictly superior to zero.

--
files: timeout-a52710a313fdb35fb428c3399277cb640fe2f686
messages: 358200
nosy: ethan.furman, jvoisin
priority: normal
severity: normal
status: open
title: Infinite loop in the tarfile module
type: security
versions: Python 3.7
Added file: 
https://bugs.python.org/file48768/timeout-a52710a313fdb35fb428c3399277cb640fe2f686

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com