Remove newline characters from uu encoding methods

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

Filenames passed to the UU encoding methods (uu.py and uu_codec.py) that contain a newline character will overflow data into the UU content section. This can potentially be used to inject replace or corrupt data content in a file during the decode process.

The fix removes newline characters from filenames.

Dates:

• Disclosure date: 2019-11-30 (Python issue bpo-38945 reported)
• Reported at: 2019-11-28 (PSRT list)
• Reported by: Matthew Rollings

Fixed In

• Python 2.7.18 (2020-04-19) fixed by commit a016d4e (branch 2.7) (2019-12-03)
• Python 3.5.10 (2020-09-05) fixed by commit 8835f46 (branch 3.5) (2020-03-21)
• Python 3.6.10 (2019-12-18) fixed by commit 30afc91 (branch 3.6) (2019-12-02)
• Python 3.7.6 (2019-12-18) fixed by commit 87f2d26 (branch 3.7) (2019-12-02)
• Python 3.8.1 (2019-12-18) fixed by commit 8859fc6 (branch 3.8) (2019-12-02)
• Python 3.9.0 (2020-10-05) fixed by commit a62ad47 (branch 3.9) (2019-12-02)

Python issue

Remove newline characters from uu encoding methods.

• Python issue: bpo-38945
• Creation date: 2019-11-30
• Reporter: stealthcopter

Timeline

Timeline using the disclosure date 2019-11-30 as reference:

• 2019-11-28 (-2 days): Reported (PSRT list)
• 2019-11-30: Python issue bpo-38945 reported by stealthcopter
• 2019-12-02 (+2 days): commit 30afc91 (branch 3.6)
• 2019-12-02 (+2 days): commit 87f2d26 (branch 3.7)
• 2019-12-02 (+2 days): commit 8859fc6 (branch 3.8)
• 2019-12-02 (+2 days): commit a62ad47 (branch 3.9)
• 2019-12-03 (+3 days): commit a016d4e (branch 2.7)
• 2019-12-18 (+18 days): Python 3.6.10 released
• 2019-12-18 (+18 days): Python 3.7.6 released
• 2019-12-18 (+18 days): Python 3.8.1 released
• 2020-03-21 (+112 days): commit 8835f46 (branch 3.5)
• 2020-04-19 (+141 days): Python 2.7.18 released
• 2020-09-05 (+280 days): Python 3.5.10 released
• 2020-10-05: Python 3.9.0 released