REDHAT-BUG-1856481
First published: Mon Jul 13 2020(Updated: )
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. Reference: <a href="https://bugs.python.org/issue39017">https://bugs.python.org/issue39017</a> Upstream commit: <a href="https://github.com/python/cpython/pull/21454">https://github.com/python/cpython/pull/21454</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Python Babel Localedata | <3.8.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.python.org/issue39017
- https://github.com/python/cpython/pull/21454
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856489
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856485
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856486
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856488
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856483
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856491
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856490
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856492
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856493
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856484
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1856482
- https://access.redhat.com/errata/RHSA-2020:4285
- https://access.redhat.com/security/cve/cve-2019-20907
- https://access.redhat.com/errata/RHSA-2020:4273
- https://access.redhat.com/errata/RHSA-2020:4299
- https://access.redhat.com/errata/RHSA-2020:4433
- https://access.redhat.com/errata/RHSA-2020:4641
- https://access.redhat.com/errata/RHSA-2020:4654
- https://access.redhat.com/errata/RHSA-2020:5009
- https://access.redhat.com/errata/RHSA-2020:5010
- https://access.redhat.com/errata/RHSA-2021:0528
- https://access.redhat.com/errata/RHSA-2021:0761
- https://access.redhat.com/errata/RHSA-2021:0881
- https://bugzilla.redhat.com/show_bug.cgi?id=1856481
Frequently Asked Questions
What is the severity of REDHAT-BUG-1856481?
The severity of REDHAT-BUG-1856481 is high due to the potential for denial of service through an infinite loop.
How do I fix REDHAT-BUG-1856481?
To fix REDHAT-BUG-1856481, upgrade Python to version 3.8.4 or later where the vulnerability is addressed.
Who is affected by REDHAT-BUG-1856481?
Users of Python versions prior to 3.8.4 are affected by REDHAT-BUG-1856481.
What causes the issue in REDHAT-BUG-1856481?
The issue in REDHAT-BUG-1856481 is caused by a lack of header validation in the tarfile module's _proc_pax function.
Is there a workaround for REDHAT-BUG-1856481?
A workaround for REDHAT-BUG-1856481 includes avoiding the use of tarfile.open with untrusted TAR archives until the software is updated.
- agent/references
- agent/type
- agent/first-publish-date
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-20907
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/python
- canonical/python babel localedata