In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
Weakness
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Python | Python | 3.5.0 (including) | 3.5.10 (excluding) |
| Python | Python | 3.6.0 (including) | 3.6.12 (excluding) |
| Python | Python | 3.7.0 (including) | 3.7.9 (excluding) |
| Python | Python | 3.8.0 (including) | 3.8.5 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | python-0:2.7.5-90.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | python3-0:3.6.8-18.el7 | * |
| Red Hat Enterprise Linux 7.4 Advanced Update Support | RedHat | python-0:2.7.5-64.el7_4 | * |
| Red Hat Enterprise Linux 7.4 Telco Extended Update Support | RedHat | python-0:2.7.5-64.el7_4 | * |
| Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions | RedHat | python-0:2.7.5-64.el7_4 | * |
| Red Hat Enterprise Linux 7.6 Extended Update Support | RedHat | python-0:2.7.5-84.el7_6 | * |
| Red Hat Enterprise Linux 7.7 Extended Update Support | RedHat | python-0:2.7.5-88.el7_7 | * |
| Red Hat Enterprise Linux 8 | RedHat | python3-0:3.6.8-31.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | python38:3.8-8030020200818121840.4190259b | * |
| Red Hat Enterprise Linux 8 | RedHat | python27:2.7-8030020200819165638.851f4228 | * |
| Red Hat Enterprise Linux 8 | RedHat | python3-0:3.6.8-31.el8 | * |
| Red Hat OpenShift Do | RedHat | openshiftdo/odo-init-image-rhel7:1.1.3-2 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | RedHat | rh-python36-python-0:3.6.12-1.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | RedHat | rh-python36-python-pip-0:9.0.1-5.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | RedHat | rh-python36-python-virtualenv-0:15.1.0-3.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | python27-python-0:2.7.18-2.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | python27-python-pip-0:8.1.2-6.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | python27-python-virtualenv-0:13.1.0-4.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-python36-python-0:3.6.12-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-python36-python-pip-0:9.0.1-5.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-python36-python-virtualenv-0:15.1.0-3.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-python38-python-0:3.8.6-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-python38-python-psutil-0:5.6.4-5.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-python38-python-urllib3-0:1.25.7-6.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | python27-python-0:2.7.18-2.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | python27-python-pip-0:8.1.2-6.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | python27-python-virtualenv-0:13.1.0-4.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-python36-python-0:3.6.12-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-python36-python-pip-0:9.0.1-5.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-python36-python-virtualenv-0:15.1.0-3.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-python38-python-0:3.8.6-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-python38-python-psutil-0:5.6.4-5.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-python38-python-urllib3-0:1.25.7-6.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | python27-python-0:2.7.18-2.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | python27-python-pip-0:8.1.2-6.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | python27-python-virtualenv-0:13.1.0-4.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-python36-python-0:3.6.12-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-python36-python-pip-0:9.0.1-5.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-python36-python-virtualenv-0:15.1.0-3.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-python38-python-0:3.8.6-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-python38-python-psutil-0:5.6.4-5.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-python38-python-urllib3-0:1.25.7-6.el7 | * |
| Python2.7 | Ubuntu | bionic | * |
| Python2.7 | Ubuntu | eoan | * |
| Python2.7 | Ubuntu | esm-apps/focal | * |
| Python2.7 | Ubuntu | esm-infra-legacy/trusty | * |
| Python2.7 | Ubuntu | esm-infra/bionic | * |
| Python2.7 | Ubuntu | esm-infra/xenial | * |
| Python2.7 | Ubuntu | focal | * |
| Python2.7 | Ubuntu | groovy | * |
| Python2.7 | Ubuntu | hirsute | * |
| Python2.7 | Ubuntu | impish | * |
| Python2.7 | Ubuntu | trusty | * |
| Python2.7 | Ubuntu | trusty/esm | * |
| Python2.7 | Ubuntu | xenial | * |
| Python3.4 | Ubuntu | esm-infra-legacy/trusty | * |
| Python3.4 | Ubuntu | trusty | * |
| Python3.4 | Ubuntu | trusty/esm | * |
| Python3.5 | Ubuntu | esm-infra-legacy/trusty | * |
| Python3.5 | Ubuntu | esm-infra/xenial | * |
| Python3.5 | Ubuntu | trusty | * |
| Python3.5 | Ubuntu | trusty/esm | * |
| Python3.5 | Ubuntu | xenial | * |
| Python3.6 | Ubuntu | bionic | * |
| Python3.6 | Ubuntu | esm-infra/bionic | * |
| Python3.7 | Ubuntu | bionic | * |
| Python3.7 | Ubuntu | eoan | * |
| Python3.7 | Ubuntu | esm-apps/bionic | * |
| Python3.8 | Ubuntu | bionic | * |
| Python3.8 | Ubuntu | eoan | * |
| Python3.8 | Ubuntu | esm-apps/bionic | * |
| Python3.8 | Ubuntu | esm-infra/focal | * |
| Python3.8 | Ubuntu | focal | * |
| Python3.8 | Ubuntu | upstream | * |
References
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html
- https://bugs.python.org/issue39017
- https://github.com/python/cpython/pull/21454
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/
- https://security.gentoo.org/glsa/202008-01
- https://security.netapp.com/advisory/ntap-20200731-0002/
- https://usn.ubuntu.com/4428-1/
- https://www.oracle.com/security-alerts/cpujan2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html
- https://bugs.python.org/issue39017
- https://github.com/python/cpython/pull/21454
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/
- https://security.gentoo.org/glsa/202008-01
- https://security.netapp.com/advisory/ntap-20200731-0002/
- https://usn.ubuntu.com/4428-1/
- https://www.oracle.com/security-alerts/cpujan2021.html