Remove newline characters from uu encoding methods

Filenames passed to the UU encoding methods (uu.py and uu_codec.py) that contain a newline character will overflow data into the UU content section. This can potentially be used to inject replace or corrupt data content in a file during the decode process.

The fix removes newline characters from filenames.

• Disclosure date: 2019-11-30 (Python issue bpo-38945 reported)
• Reported at: 2019-11-28 (PSRT list)
• Reported by: Matthew Rollings

Fixed In

• Python 2.7.18 (2020-04-19) fixed by commit a016d4e (branch 2.7) (2019-12-03)
• Python 3.6.10 (2019-12-18) fixed by commit 30afc91 (branch 3.6) (2019-12-02)
• Python 3.7.6 (2019-12-18) fixed by commit 87f2d26 (branch 3.7) (2019-12-02)
• Python 3.8.1 (2019-12-18) fixed by commit 8859fc6 (branch 3.8) (2019-12-02)

Vulnerable Versions

• Python 3.5 (need release)

Python issue

Remove newline characters from uu encoding methods.

• Python issue: bpo-38945
• Creation date: 2019-11-30
• Reporter: stealthcopter

Timeline

Timeline using the disclosure date 2019-11-30 as reference:

• 2019-11-28 (-2 days): Reported (PSRT list)
• 2019-11-30: Python issue bpo-38945 reported by stealthcopter
• 2019-12-02 (+2 days): commit 30afc91 (branch 3.6)
• 2019-12-02 (+2 days): commit 87f2d26 (branch 3.7)
• 2019-12-02 (+2 days): commit 8859fc6 (branch 3.8)
• 2019-12-02 (+2 days): commit a62ad47 (branch 3.9)
• 2019-12-03 (+3 days): commit a016d4e (branch 2.7)
• 2019-12-18 (+18 days): Python 3.6.10 released
• 2019-12-18 (+18 days): Python 3.7.6 released
• 2019-12-18 (+18 days): Python 3.8.1 released
• 2020-03-21 (+112 days): commit 8835f46 (branch 3.5)
• 2020-04-19 (+141 days): Python 2.7.18 released