[CVE-2019-20907] Infinite loop in the tarfile module

[jvoisin]

BPO	39017
Nosy	@gustaebel, @larryhastings, @ned-deily, @encukou, @ethanfurman, @mgorny, @serhiy-storchaka, @miss-islington, @bcaller, @rishi93
PRs	bpo-39017 Fix infinite loop in the tarfile module #21454 [3.9] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21482 [3.8] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21483 [3.7] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21484 [3.6] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21485 [3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) #21489
Files	timeout-a52710a313fdb35fb428c3399277cb640fe2f686: Infinite loop reproducer. recursion.tar: Minimal infinite loop reproducer

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2020-07-16.19:49:38.415>
created_at = <Date 2019-12-10.16:19:56.633>
labels = ['type-security', '3.7', '3.8', '3.9', '3.10']
title = '[CVE-2019-20907] Infinite loop in the tarfile module'
updated_at = <Date 2020-08-03.10:07:01.350>
user = 'https://bugs.python.org/jvoisin'

bugs.python.org fields:

activity = <Date 2020-08-03.10:07:01.350>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2020-07-16.19:49:38.415>
closer = 'larry'
components = []
creation = <Date 2019-12-10.16:19:56.633>
creator = 'jvoisin'
dependencies = []
files = ['48768', '49309']
hgrepos = []
issue_num = 39017
keywords = ['patch']
message_count = 17.0
messages = ['358200', '373339', '373341', '373468', '373473', '373577', '373632', '373681', '373683', '373684', '373685', '373686', '373687', '373688', '373689', '373764', '373972']
nosy_count = 11.0
nosy_names = ['lars.gustaebel', 'larry', 'ned.deily', 'petr.viktorin', 'ethan.furman', 'mgorny', 'serhiy.storchaka', 'miss-islington', 'bc', 'jvoisin', 'rishi93']
pr_nums = ['21454', '21482', '21483', '21484', '21485', '21489']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue39017'
versions = ['Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

[jvoisin]

While playing with fuzzing and Python, I stumbled upon an infinite loop in Python's tarfile module: just open the attached file with tarfile.open('timeout-a52710a313fdb35fb428c3399277cb640fe2f686'), and Python will be endlessly stuck in the _proc_pax function in tarfile.py, likely due to a missing check of length being strictly superior to zero.

[bcaller]

I've attached a minimal tar file which reproduces this. I think the minimum length is 516 bytes.

We need a 512 byte PAX format header block as normal.

Then we need a pax header which matches the regex in

cpython/Lib/tarfile.py

Line 1243 in b26a0db

regex = re.compile(br"(\d+) ([^=]+)=")

length, keyword = re.compile(br"(\d+) ([^=]+)=").groups()

We use the length variable to iterate:

cpython/Lib/tarfile.py

Line 1271 in b26a0db

pos += length

    while True:
        ...
        pos += length

So we can start the block with "0 X=". This makes length=0. So it will increment pos by 0 each loop and loop the same code forever.

Nice find.

Do you think this denial of service is worth requesting a CVE for? If so, can someone else do it.

[bcaller]

A smaller bug: If instead of 0 you use a large number (> 2^63) e.g. 9999999999999999999 you get OverflowError: Python int too large to convert to C ssize_t rather than the expected tarfile.ReadError regardless of errorlevel.

[rishi93]

Hi ! I would like to start contributing to CPython. Can I start working on this issue ?

[ethanfurman]

Absolutely!

But first, you'll need to sign the Contributor License Agreement:

https://www.python.org/psf/contrib/contrib-form/

Thank you for your help!

[rishi93]

Thank you. I have signed the CLA agreement. I have pushed my code changes and also written a testcase for this issue

[jvoisin]

CVE-2019-20907 has been assigned to this issue.

[encukou]

New changeset 5a8d121 by Rishi in branch 'master':
bpo-39017: Avoid infinite loop in the tarfile module (GH-21454)
5a8d121

[encukou]

Larry and Ned, do you want this fix in the security-only releases you manage?

PRs for 3.6 ad 3.7 are ready, should you wish to merge them.

[miss-islington]

New changeset f323229 by Miss Islington (bot) in branch '3.9':
[3.9] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21482)
f323229

[miss-islington]

New changeset c554795 by Miss Islington (bot) in branch '3.8':
[3.8] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21483)
c554795