CVE-2021-40839

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;x2fx7f), enabling a remote attack that consumes CPU and memory.

Weakness

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Software

Name	Vendor	Start Version	End Version
Rencode	Rencode_project	*	1.0.6 (including)
Python-rencode	Ubuntu	bionic	*
Python-rencode	Ubuntu	hirsute	*
Python-rencode	Ubuntu	impish	*
Python-rencode	Ubuntu	kinetic	*
Python-rencode	Ubuntu	trusty	*
Python-rencode	Ubuntu	upstream	*
Python-rencode	Ubuntu	xenial	*

References

https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75
https://github.com/aresch/rencode/pull/29
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMVQRPDVSVZNGGX57CFKCYT3DEYO4QB6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/
https://pypi.org/project/rencode/#history
https://seclists.org/fulldisclosure/2021/Sep/16
https://security.netapp.com/advisory/ntap-20211008-0001/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-40839
CWE	https://cwe.mitre.org/data/definitions/835.html

Loop with Unreachable Exit Condition ('Infinite Loop')

Weakness

Affected Software

References