[CVE-2019-20907] Infinite loop in the tarfile module #83198

jvoisin · 2019-12-10T16:19:57Z

BPO	39017
Nosy	@gustaebel, @larryhastings, @ned-deily, @encukou, @ethanfurman, @mgorny, @serhiy-storchaka, @miss-islington, @bcaller, @rishi93
PRs	bpo-39017 Fix infinite loop in the tarfile module #21454 [3.9] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21482 [3.8] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21483 [3.7] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21484 [3.6] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21485 [3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21489
Files	timeout-a52710a313fdb35fb428c3399277cb640fe2f686: Infinite loop reproducer. recursion.tar: Minimal infinite loop reproducer

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2020-07-16.19:49:38.415>
created_at = <Date 2019-12-10.16:19:56.633>
labels = ['type-security', '3.7', '3.8', '3.9', '3.10']
title = '[CVE-2019-20907] Infinite loop in the tarfile module'
updated_at = <Date 2020-08-03.10:07:01.350>
user = 'https://bugs.python.org/jvoisin'

bugs.python.org fields:

activity = <Date 2020-08-03.10:07:01.350>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2020-07-16.19:49:38.415>
closer = 'larry'
components = []
creation = <Date 2019-12-10.16:19:56.633>
creator = 'jvoisin'
dependencies = []
files = ['48768', '49309']
hgrepos = []
issue_num = 39017
keywords = ['patch']
message_count = 17.0
messages = ['358200', '373339', '373341', '373468', '373473', '373577', '373632', '373681', '373683', '373684', '373685', '373686', '373687', '373688', '373689', '373764', '373972']
nosy_count = 11.0
nosy_names = ['lars.gustaebel', 'larry', 'ned.deily', 'petr.viktorin', 'ethan.furman', 'mgorny', 'serhiy.storchaka', 'miss-islington', 'bc', 'jvoisin', 'rishi93']
pr_nums = ['21454', '21482', '21483', '21484', '21485', '21489']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue39017'
versions = ['Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

jvoisin · 2019-12-10T16:19:56Z

While playing with fuzzing and Python, I stumbled upon an infinite loop in Python's tarfile module: just open the attached file with tarfile.open('timeout-a52710a313fdb35fb428c3399277cb640fe2f686'), and Python will be endlessly stuck in the _proc_pax function in tarfile.py, likely due to a missing check of length being strictly superior to zero.

bcaller · 2020-07-08T19:37:57Z

I've attached a minimal tar file which reproduces this. I think the minimum length is 516 bytes.

We need a 512 byte PAX format header block as normal.

Then we need a pax header which matches the regex in

cpython/Lib/tarfile.py

Line 1243 in b26a0db

regex = re.compile(br"(\d+) ([^=]+)=")

length, keyword = re.compile(br"(\d+) ([^=]+)=").groups()

We use the length variable to iterate:

cpython/Lib/tarfile.py

Line 1271 in b26a0db

pos += length

    while True:
        ...
        pos += length

So we can start the block with "0 X=". This makes length=0. So it will increment pos by 0 each loop and loop the same code forever.

Nice find.

Do you think this denial of service is worth requesting a CVE for? If so, can someone else do it.

bcaller · 2020-07-08T20:03:21Z

A smaller bug: If instead of 0 you use a large number (> 2^63) e.g. 9999999999999999999 you get OverflowError: Python int too large to convert to C ssize_t rather than the expected tarfile.ReadError regardless of errorlevel.

rishi93 · 2020-07-10T14:13:26Z

Hi ! I would like to start contributing to CPython. Can I start working on this issue ?

ethanfurman · 2020-07-10T17:01:05Z

Absolutely!

But first, you'll need to sign the Contributor License Agreement:

https://www.python.org/psf/contrib/contrib-form/

Thank you for your help!

rishi93 · 2020-07-12T22:10:05Z

Thank you. I have signed the CLA agreement. I have pushed my code changes and also written a testcase for this issue

jvoisin · 2020-07-14T09:29:27Z

CVE-2019-20907 has been assigned to this issue.

encukou · 2020-07-15T11:51:09Z

New changeset 5a8d121 by Rishi in branch 'master':
bpo-39017: Avoid infinite loop in the tarfile module (GH-21454)
5a8d121

encukou · 2020-07-15T12:20:01Z

Larry and Ned, do you want this fix in the security-only releases you manage?

PRs for 3.6 ad 3.7 are ready, should you wish to merge them.

miss-islington · 2020-07-15T12:30:37Z

New changeset f323229 by Miss Islington (bot) in branch '3.9':
[3.9] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21482)
f323229

miss-islington · 2020-07-15T12:30:57Z

New changeset c554795 by Miss Islington (bot) in branch '3.8':
[3.8] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21483)
c554795

larryhastings · 2020-07-15T12:34:22Z

Yes, please. It's a simple low-risk fix. And 3.5.10rc1 is stuck waiting for a fix anyway. Thanks!

ned-deily · 2020-07-15T12:35:12Z

New changeset 79c6b60 by Miss Islington (bot) in branch '3.7':
bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21484)
79c6b60

ned-deily · 2020-07-15T12:36:40Z

New changeset 47a2955 by Miss Islington (bot) in branch '3.6':
bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (bpo-21485)
47a2955

ned-deily · 2020-07-15T12:37:56Z

Thanks, the PRs for 3.7 and 3.6 are now merged.

larryhastings · 2020-07-16T19:48:18Z

New changeset cac9ca8 by Petr Viktorin in branch '3.5':
[3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (bpo-21489)
cac9ca8

mgorny · 2020-07-19T21:13:23Z

Given that a CVE was assigned for this, I think it'd be better if the news were in the 'Security' category and not 'Library'.

jvoisin mannequin added 3.7 (EOL) end of life type-security A security issue labels Dec 10, 2019

ned-deily added 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes labels Jul 15, 2020

larryhastings closed this as completed Jul 16, 2020

vstinner changed the title ~~Infinite loop in the tarfile module~~ [CVE-2019-20907] Infinite loop in the tarfile module Aug 3, 2020

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2019-20907] Infinite loop in the tarfile module #83198

[CVE-2019-20907] Infinite loop in the tarfile module #83198

jvoisin mannequin commented Dec 10, 2019

jvoisin mannequin commented Dec 10, 2019

bcaller mannequin commented Jul 8, 2020

bcaller mannequin commented Jul 8, 2020

rishi93 mannequin commented Jul 10, 2020

ethanfurman commented Jul 10, 2020

rishi93 mannequin commented Jul 12, 2020

jvoisin mannequin commented Jul 14, 2020

encukou commented Jul 15, 2020

encukou commented Jul 15, 2020

miss-islington commented Jul 15, 2020

miss-islington commented Jul 15, 2020

larryhastings commented Jul 15, 2020

ned-deily commented Jul 15, 2020

ned-deily commented Jul 15, 2020

ned-deily commented Jul 15, 2020

larryhastings commented Jul 16, 2020

mgorny mannequin commented Jul 19, 2020

[CVE-2019-20907] Infinite loop in the tarfile module #83198

[CVE-2019-20907] Infinite loop in the tarfile module #83198

Comments

jvoisin mannequin commented Dec 10, 2019

jvoisin mannequin commented Dec 10, 2019

bcaller mannequin commented Jul 8, 2020

bcaller mannequin commented Jul 8, 2020

rishi93 mannequin commented Jul 10, 2020

ethanfurman commented Jul 10, 2020

rishi93 mannequin commented Jul 12, 2020

jvoisin mannequin commented Jul 14, 2020

encukou commented Jul 15, 2020

encukou commented Jul 15, 2020

miss-islington commented Jul 15, 2020

miss-islington commented Jul 15, 2020

larryhastings commented Jul 15, 2020

ned-deily commented Jul 15, 2020

ned-deily commented Jul 15, 2020

ned-deily commented Jul 15, 2020

larryhastings commented Jul 16, 2020

mgorny mannequin commented Jul 19, 2020