.. _uu-encoding-newline:

Remove newline characters from uu encoding methods
==================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

Filenames passed to the UU encoding methods (uu.py and uu_codec.py) that
contain a newline character will overflow data into the UU content section.
This can potentially be used to inject replace or corrupt data content in a
file during the decode process.

The fix removes newline characters from filenames.

Dates:

* Disclosure date: **2019-11-30** (Python issue bpo-38945 reported)
* Reported at: 2019-11-28 (PSRT list)
* Reported by: Matthew Rollings

Fixed In
--------

* Python **2.7.18** (2020-04-19) fixed by `commit a016d4e (branch 2.7) <https://github.com/python/cpython/commit/a016d4e32cc9faa48105d00db275439c3dc93559>`_ (2019-12-03)
* Python **3.5.10** (2020-09-05) fixed by `commit 8835f46 (branch 3.5) <https://github.com/python/cpython/commit/8835f465fa94f114dcf865429c0410821d365dae>`_ (2020-03-21)
* Python **3.6.10** (2019-12-18) fixed by `commit 30afc91 (branch 3.6) <https://github.com/python/cpython/commit/30afc91f5e70cf4748ffac77a419ba69ebca6f6a>`_ (2019-12-02)
* Python **3.7.6** (2019-12-18) fixed by `commit 87f2d26 (branch 3.7) <https://github.com/python/cpython/commit/87f2d261ee1c63ed39517355833d087c5a78b4bf>`_ (2019-12-02)
* Python **3.8.1** (2019-12-18) fixed by `commit 8859fc6 (branch 3.8) <https://github.com/python/cpython/commit/8859fc629474ab1ca7eb2e67aec538097c327e58>`_ (2019-12-02)
* Python **3.9.0** (2020-10-05) fixed by `commit a62ad47 (branch 3.9) <https://github.com/python/cpython/commit/a62ad4730c9b575f140f24074656c0257c86a09a>`_ (2019-12-02)

Python issue
------------

Remove newline characters from uu encoding methods.

* Python issue: `bpo-38945 <https://bugs.python.org/issue38945>`_
* Creation date: 2019-11-30
* Reporter: stealthcopter

Timeline
--------

Timeline using the disclosure date **2019-11-30** as reference:

* 2019-11-28 (**-2 days**): Reported (PSRT list)
* 2019-11-30: `Python issue bpo-38945 <https://bugs.python.org/issue38945>`_ reported by stealthcopter
* 2019-12-02 (**+2 days**): `commit 30afc91 (branch 3.6) <https://github.com/python/cpython/commit/30afc91f5e70cf4748ffac77a419ba69ebca6f6a>`_
* 2019-12-02 (**+2 days**): `commit 87f2d26 (branch 3.7) <https://github.com/python/cpython/commit/87f2d261ee1c63ed39517355833d087c5a78b4bf>`_
* 2019-12-02 (**+2 days**): `commit 8859fc6 (branch 3.8) <https://github.com/python/cpython/commit/8859fc629474ab1ca7eb2e67aec538097c327e58>`_
* 2019-12-02 (**+2 days**): `commit a62ad47 (branch 3.9) <https://github.com/python/cpython/commit/a62ad4730c9b575f140f24074656c0257c86a09a>`_
* 2019-12-03 (**+3 days**): `commit a016d4e (branch 2.7) <https://github.com/python/cpython/commit/a016d4e32cc9faa48105d00db275439c3dc93559>`_
* 2019-12-18 (**+18 days**): Python 3.6.10 released
* 2019-12-18 (**+18 days**): Python 3.7.6 released
* 2019-12-18 (**+18 days**): Python 3.8.1 released
* 2020-03-21 (**+112 days**): `commit 8835f46 (branch 3.5) <https://github.com/python/cpython/commit/8835f465fa94f114dcf865429c0410821d365dae>`_
* 2020-04-19 (**+141 days**): Python 2.7.18 released
* 2020-09-05 (**+280 days**): Python 3.5.10 released
* 2020-10-05: Python 3.9.0 released