Author bc
Recipients bc, ethan.furman, jvoisin, lars.gustaebel, serhiy.storchaka
Date 2020-07-08.19:37:56
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1594237077.01.0.745137900755.issue39017@roundup.psfhosted.org>
In-reply-to
Content
I've attached a minimal tar file which reproduces this. I think the minimum length is 516 bytes.

We need a 512 byte PAX format header block as normal.

Then we need a pax header which matches the regex in https://github.com/python/cpython/blob/b26a0db8ea2de3a8a8e4b40e69fc8642c7d7cb68/Lib/tarfile.py#L1243

    length, keyword = re.compile(br"(\d+) ([^=]+)=").groups()

We use the `length` variable to iterate:
https://github.com/python/cpython/blob/b26a0db8ea2de3a8a8e4b40e69fc8642c7d7cb68/Lib/tarfile.py#L1271

    while True:
        ...
        pos += length

So we can start the block with "0 X=". This makes length=0. So it will increment pos by 0 each loop and loop the same code forever.

Nice find.

Do you think this denial of service is worth requesting a CVE for? If so, can someone else do it.
History
Date User Action Args
2020-07-08 19:37:57bcsetrecipients: + bc, lars.gustaebel, ethan.furman, serhiy.storchaka, jvoisin
2020-07-08 19:37:57bcsetmessageid: <1594237077.01.0.745137900755.issue39017@roundup.psfhosted.org>
2020-07-08 19:37:57bclinkissue39017 messages
2020-07-08 19:37:56bccreate