Package: python2.7 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Two security issues from past the 2.7.18 release. Backports from 3.x are attached (I'm planning to submit these for 10.6). Cheers, Moritz
>From 47a2955589bdb1a114d271496ff803ad73f954b8 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-isling...@users.noreply.github.com> Date: Wed, 15 Jul 2020 05:36:36 -0700 Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485) Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) Co-authored-by: Rishi <rishi_de...@mail.com> diff --git a/Lib/tarfile.py b/Lib/tarfile.py index adf91d5..574a6bb 100644 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -1400,6 +1400,8 @@ class TarInfo(object): length, keyword = match.groups() length = int(length) + if length == 0: + raise InvalidHeaderError("invalid header") value = buf[match.end(2) + 1:match.start(1) + length - 1] keyword = keyword.decode("utf8")
Backport of 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4, trimmed down to the fix for CVE-2020-8492 Co-Authored-By: Serhiy Storchaka <storch...@gmail.com> diff --git a/Lib/urllib2.py b/Lib/urllib2.py index 8b634ad..11a62a4 100644 --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -856,8 +856,15 @@ class AbstractBasicAuthHandler: # allow for double- and single-quoted realm values # (single quotes are a violation of the RFC, but appear in the wild) - rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' - 'realm=(["\']?)([^"\']*)\\2', re.I) + rx = re.compile('(?:^|,)' # start of the string or ',' + '[ \t]*' # optional whitespaces + '([^ \t]+)' # scheme like "Basic" + '[ \t]+' # mandatory whitespaces + # realm=xxx + # realm='xxx' + # realm="xxx" + 'realm=(["\']?)([^"\']*)\\2', + re.I) # XXX could pre-emptively send auth info already accepted (RFC 2617, # end of section 2, and section 1.2 immediately after "credentials"