For python and python-native added patch to fix CVE-2019-20907 Signed-off-by: Rahul Taya <rahul.t...@kpit.com> --- recipes-devtools/python/python.inc | 1 + .../python/python/CVE-2019-20907.patch | 53 +++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 recipes-devtools/python/python/CVE-2019-20907.patch
diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc index a4ba0c5..4bf30ee 100644 --- a/recipes-devtools/python/python.inc +++ b/recipes-devtools/python/python.inc @@ -8,6 +8,7 @@ INC_PR = "r1" LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ + file://CVE-2019-20907.patch \ " SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43" diff --git a/recipes-devtools/python/python/CVE-2019-20907.patch b/recipes-devtools/python/python/CVE-2019-20907.patch new file mode 100644 index 0000000..4c24c53 --- /dev/null +++ b/recipes-devtools/python/python/CVE-2019-20907.patch @@ -0,0 +1,53 @@ +From f5481db4bebf9d53b79f29f960f4188af8ccdfde Mon Sep 17 00:00:00 2001 +From: Rishi <rishi_de...@mail.com> +Date: Wed, 15 Jul 2020 13:51:00 +0200 +Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module + (GH-21454) + +Avoid infinite loop when reading specially crafted TAR files using the tarfile module +(CVE-2019-20907). +--- + Lib/tarfile.py | 2 ++ + Lib/test/test_tarfile.py | 7 +++++++ + 2 files changed, 9 insertions(+) + +Upstream-Status: Backport[https://github.com/xzy3/cpython/commit/f5481db4bebf9d53b79f29f960f4188af8ccdfde.patch] +CVE: CVE-2019-20907 +Link: https://github.com/xzy3/cpython/commit/f5481db4bebf9d53b79f29f960f4188af8ccdfde.patch +Comment: Second hunk refreshed and from the original patch skipped changes for files +Lib/test/recursion.tar and Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +as these files are not present in our source code. + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index e2b60532f693d..6769066cabd6f 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1249,6 +1249,8 @@ def _proc_pax(self, tarfile): + + length, keyword = match.groups() + length = int(length) ++ if length == 0: ++ raise InvalidHeaderError("invalid header") + value = buf[match.end(2) + 1:match.start(1) + length - 1] + + # Normally, we could just use "utf-8" as the encoding and "strict" + + +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 89bd738..c61d02b 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -321,6 +321,13 @@ class CommonReadTest(ReadTest): + with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"): + tar.extractfile(t).read() + ++ def test_length_zero_header(self): ++ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail ++ # with an exception ++ with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): ++ with tarfile.open(support.findfile('recursion.tar')) as tar: ++ pass ++ + + class MiscReadTest(CommonReadTest): + taropen = tarfile.TarFile.taropen -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#89582): https://lists.openembedded.org/g/openembedded-devel/message/89582 Mute This Topic: https://lists.openembedded.org/mt/80729617/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
