00351-cve-2019-20907-fix-infinite-loop-in-tarfile.patchfedora-2.7.18-5

00351 # Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). See: https://bugs.python.org/issue39017
author: Rishi <rishi_devan@mail.com> 2020-07-15 11:51:00 (GMT)
committer: Petr Viktorin <pviktori@redhat.com> 2020-09-29 13:59:06 (GMT)
commit: fcc4a585fe13a8920fdb1f1d1ddf04eaed0025eb (patch)
tree: 8bd742044c3dac93fe2f191ffa7c61b1cfa3e2d7 /Lib/tarfile.py
parent: 76bb7970f4cb9340ac22914b27ebd3e3487964cc (diff)
download: cpython-fedora-2.7.18-5.zip
cpython-fedora-2.7.18-5.tar.gz
cpython-fedora-2.7.18-5.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Lib/tarfile.py b/Lib/tarfile.py
index adf91d5..574a6bb 100644
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -1400,6 +1400,8 @@ class TarInfo(object):
 
             length, keyword = match.groups()
             length = int(length)
+            if length == 0:
+                raise InvalidHeaderError("invalid header")
             value = buf[match.end(2) + 1:match.start(1) + length - 1]
 
             keyword = keyword.decode("utf8")
author	Rishi <rishi_devan@mail.com>	2020-07-15 11:51:00 (GMT)
committer	Petr Viktorin <pviktori@redhat.com>	2020-09-29 13:59:06 (GMT)
commit	fcc4a585fe13a8920fdb1f1d1ddf04eaed0025eb (patch)
tree	8bd742044c3dac93fe2f191ffa7c61b1cfa3e2d7 /Lib/tarfile.py
parent	76bb7970f4cb9340ac22914b27ebd3e3487964cc (diff)
download	cpython-fedora-2.7.18-5.zip cpython-fedora-2.7.18-5.tar.gz cpython-fedora-2.7.18-5.tar.bz2