Infinite loop in tarfile module while opening a crafted file¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
Infinite loop in tarfile module while opening a crafted TAR archive in the PAX format with a length of zero.
Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
Dates:
- Disclosure date: 2019-12-10 (Python issue bpo-39017 reported)
Fixed In¶
- Python 3.5.10 (2020-09-05) fixed by commit cac9ca8 (branch 3.5) (2020-07-16)
- Python 3.6.12 (2020-08-15) fixed by commit 47a2955 (branch 3.6) (2020-07-15)
- Python 3.7.9 (2020-08-15) fixed by commit 79c6b60 (branch 3.7) (2020-07-15)
- Python 3.8.5 (2020-07-20) fixed by commit c554795 (branch 3.8) (2020-07-15)
- Python 3.9.0 (2020-10-05) fixed by commit f323229 (branch 3.9) (2020-07-15)
Python issue¶
[CVE-2019-20907] Infinite loop in the tarfile module.
- Python issue: bpo-39017
- Creation date: 2019-12-10
- Reporter: jvoisin
CVE-2019-20907¶
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
- CVE ID: CVE-2019-20907
- Published: 2020-07-13
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2019-12-10 as reference:
- 2019-12-10: Python issue bpo-39017 reported by jvoisin
- 2020-07-13 (+216 days): CVE-2019-20907 published
- 2020-07-15 (+218 days): commit 47a2955 (branch 3.6)
- 2020-07-15 (+218 days): commit 79c6b60 (branch 3.7)
- 2020-07-15 (+218 days): commit c554795 (branch 3.8)
- 2020-07-15 (+218 days): commit f323229 (branch 3.9)
- 2020-07-16 (+219 days): commit cac9ca8 (branch 3.5)
- 2020-07-20 (+223 days): Python 3.8.5 released
- 2020-08-15 (+249 days): Python 3.6.12 released
- 2020-08-15 (+249 days): Python 3.7.9 released
- 2020-09-05 (+270 days): Python 3.5.10 released
- 2020-10-05: Python 3.9.0 released