pool/python
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FIx patches

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=426
This commit is contained in:
Matej Cepl 2024-09-20 21:10:45 +00:00 committed by Git OBS Bridge
parent 2db1a650e2
commit 5f785230b9
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
CVE-2019-20907_tarfile-inf-loop.patch
View File

@ -5,14 +5,15 @@ Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module
Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop
--- ---
Lib/tarfile.py | 2 ++ Lib/tarfile.py | 2 ++
Lib/test/test_tarfile.py | 5 +++++ Lib/test/test_tarfile.py | 8 ++++++++
3 files changed, 7 insertions(+) Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 +
3 files changed, 11 insertions(+)
create mode 100644 Lib/test/recursion.tar create mode 100644 Lib/test/recursion.tar
--- a/Lib/tarfile.py --- a/Lib/tarfile.py
+++ b/Lib/tarfile.py +++ b/Lib/tarfile.py
@@ -1226,6 +1226,8 @@ class TarInfo(object): @@ -1400,6 +1400,8 @@ class TarInfo(object):
length, keyword = match.groups() length, keyword = match.groups()
length = int(length) length = int(length)
@ -20,12 +21,12 @@ Add a check for length = 0 in the _proc_pax function to avoid running into an in
+ raise InvalidHeaderError("invalid header") + raise InvalidHeaderError("invalid header")
value = buf[match.end(2) + 1:match.start(1) + length - 1] value = buf[match.end(2) + 1:match.start(1) + length - 1]
# Normally, we could just use "utf-8" as the encoding and "strict" keyword = keyword.decode("utf8")
--- a/Lib/test/test_tarfile.py --- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py
@@ -297,6 +297,14 @@ class Bz2ListTest(Bz2Test, ListTest): @@ -321,6 +321,14 @@ class CommonReadTest(ReadTest):
class LzmaListTest(LzmaTest, ListTest): with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"):
pass tar.extractfile(t).read()
+ def test_length_zero_header(self): + def test_length_zero_header(self):
+ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail + # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
@ -36,8 +37,8 @@ Add a check for length = 0 in the _proc_pax function to avoid running into an in
+ +
+ +
class CommonReadTest(ReadTest): class MiscReadTest(CommonReadTest):
taropen = tarfile.TarFile.taropen
--- /dev/null --- /dev/null
+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
@@ -0,0 +1 @@ @@ -0,0 +1 @@