.. _tarfile-pax-dos:

Infinite loop in tarfile module while opening a crafted file
============================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2019-20907>`_.

Infinite loop in tarfile module while opening a crafted TAR archive in
the PAX format with a length of zero.

Avoid infinite loop when reading specially crafted TAR files using the
tarfile module (CVE-2019-20907).

Dates:

* Disclosure date: **2019-12-10** (Python issue bpo-39017 reported)

Fixed In
--------

* Python **3.5.10** (2020-09-05) fixed by `commit cac9ca8 (branch 3.5) <https://github.com/python/cpython/commit/cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84>`_ (2020-07-16)
* Python **3.6.12** (2020-08-15) fixed by `commit 47a2955 (branch 3.6) <https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8>`_ (2020-07-15)
* Python **3.7.9** (2020-08-15) fixed by `commit 79c6b60 (branch 3.7) <https://github.com/python/cpython/commit/79c6b602efc9a906c8496f3d5f4d54c54b48fa06>`_ (2020-07-15)
* Python **3.8.5** (2020-07-20) fixed by `commit c554795 (branch 3.8) <https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559>`_ (2020-07-15)
* Python **3.9.0** (2020-10-05) fixed by `commit f323229 (branch 3.9) <https://github.com/python/cpython/commit/f3232294ee695492f43d424cc6969d018d49861d>`_ (2020-07-15)

Python issue
------------

[CVE-2019-20907] Infinite loop in the tarfile module.

* Python issue: `bpo-39017 <https://bugs.python.org/issue39017>`_
* Creation date: 2019-12-10
* Reporter: jvoisin

CVE-2019-20907
--------------

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

* CVE ID: `CVE-2019-20907 <https://nvd.nist.gov/vuln/detail/CVE-2019-20907/>`_
* Published: 2020-07-13
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2019-12-10** as reference:

* 2019-12-10: `Python issue bpo-39017 <https://bugs.python.org/issue39017>`_ reported by jvoisin
* 2020-07-13 (**+216 days**): CVE-2019-20907 published
* 2020-07-15 (**+218 days**): `commit 47a2955 (branch 3.6) <https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8>`_
* 2020-07-15 (**+218 days**): `commit 79c6b60 (branch 3.7) <https://github.com/python/cpython/commit/79c6b602efc9a906c8496f3d5f4d54c54b48fa06>`_
* 2020-07-15 (**+218 days**): `commit c554795 (branch 3.8) <https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559>`_
* 2020-07-15 (**+218 days**): `commit f323229 (branch 3.9) <https://github.com/python/cpython/commit/f3232294ee695492f43d424cc6969d018d49861d>`_
* 2020-07-16 (**+219 days**): `commit cac9ca8 (branch 3.5) <https://github.com/python/cpython/commit/cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84>`_
* 2020-07-20 (**+223 days**): Python 3.8.5 released
* 2020-08-15 (**+249 days**): Python 3.6.12 released
* 2020-08-15 (**+249 days**): Python 3.7.9 released
* 2020-09-05 (**+270 days**): Python 3.5.10 released
* 2020-10-05: Python 3.9.0 released

Links
-----

* https://nvd.nist.gov/vuln/detail/CVE-2019-20907/