Your message dated Sat, 20 Feb 2021 18:05:01 +0000
with message-id <e1ldwcn-000f7q...@fasolo.debian.org>
and subject line Bug#970099: fixed in python2.7 2.7.18-2
has caused the Debian Bug report #970099,
regarding CVE-2019-20907 CVE-2020-8492
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
970099: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970099
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python2.7
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Two security issues from past the 2.7.18 release. Backports
from 3.x are attached (I'm planning to submit these for 10.6).
Cheers,
Moritz
>From 47a2955589bdb1a114d271496ff803ad73f954b8 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-isling...@users.noreply.github.com>
Date: Wed, 15 Jul 2020 05:36:36 -0700
Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
(GH-21454) (#21485)
Avoid infinite loop when reading specially crafted TAR files using the tarfile
module
(CVE-2019-20907).
(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
Co-authored-by: Rishi <rishi_de...@mail.com>
diff --git a/Lib/tarfile.py b/Lib/tarfile.py
index adf91d5..574a6bb 100644
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -1400,6 +1400,8 @@ class TarInfo(object):
length, keyword = match.groups()
length = int(length)
+ if length == 0:
+ raise InvalidHeaderError("invalid header")
value = buf[match.end(2) + 1:match.start(1) + length - 1]
keyword = keyword.decode("utf8")
Backport of 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4, trimmed down to the
fix for CVE-2020-8492
Co-Authored-By: Serhiy Storchaka <storch...@gmail.com>
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index 8b634ad..11a62a4 100644
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -856,8 +856,15 @@ class AbstractBasicAuthHandler:
# allow for double- and single-quoted realm values
# (single quotes are a violation of the RFC, but appear in the wild)
- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
- 'realm=(["\']?)([^"\']*)\\2', re.I)
+ rx = re.compile('(?:^|,)' # start of the string or ','
+ '[ \t]*' # optional whitespaces
+ '([^ \t]+)' # scheme like "Basic"
+ '[ \t]+' # mandatory whitespaces
+ # realm=xxx
+ # realm='xxx'
+ # realm="xxx"
+ 'realm=(["\']?)([^"\']*)\\2',
+ re.I)
# XXX could pre-emptively send auth info already accepted (RFC 2617,
# end of section 2, and section 1.2 immediately after "credentials"
--- End Message ---
--- Begin Message ---
Source: python2.7
Source-Version: 2.7.18-2
Done: Matthias Klose <d...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python2.7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 970...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <d...@debian.org> (supplier of updated python2.7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 20 Feb 2021 18:14:40 +0100
Source: python2.7
Architecture: source
Version: 2.7.18-2
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <d...@debian.org>
Changed-By: Matthias Klose <d...@debian.org>
Closes: 939514 970099
Changes:
python2.7 (2.7.18-2) unstable; urgency=medium
.
* Fix issue #39017: Avoid infinite loop when reading specially crafted TAR
files using the tarfile module (CVE-2019-20907).
* Backport of 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4, trimmed down to the
fix for CVE-2020-8492. Closes: #970099.
* Fix FTCBFS: Add back a dependency on python2.7:any (Helmut Grohne).
Closes: #939514.
* Fix issue #42938: Replace snprintf with Python unicode formatting in
ctypes param reprs (CVE-2021-3177) (Saif Hakim). LP: #1916117.
Checksums-Sha1:
3dc209c7d98e948df1dfb397cb2280214ed0c7b7 3313 python2.7_2.7.18-2.dsc
3da6e44bb98ef24fffcb1a3a93c3b3ee666ff2c2 289598 python2.7_2.7.18-2.diff.gz
0b736841bbae42b0b2d8902ece40c371fec9e4a8 10196
python2.7_2.7.18-2_source.buildinfo
Checksums-Sha256:
51a4c812f07ed73a791e09da0374505eeb7b6a482baf1565ce2cf605fe3cb73b 3313
python2.7_2.7.18-2.dsc
b3cbfd41205d722f011ed1f60cd4e045e103a2d101a4de07ed3f9916c177fe1e 289598
python2.7_2.7.18-2.diff.gz
c94ad27726a3010f2247cb50eecfa8f28e0497b139f5f2587757b23d6c096c87 10196
python2.7_2.7.18-2_source.buildinfo
Files:
c24e91205a75fbe300769172501cb48e 3313 python optional python2.7_2.7.18-2.dsc
b6886958d98e3e95c0a05483b9983c48 289598 python optional
python2.7_2.7.18-2.diff.gz
f42c8145f5aea56aa3b2aaa7c8c03308 10196 python optional
python2.7_2.7.18-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmAxSpwQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9S3VD/990veQ2O3EstIu1u3B6UjDQrA9Y2sEbi5h
nC1+C/2WjPcp7LOI9+x7DqiwUz51E2LJB/cgTsMPRHk2kaFQHS2Cs57edQFx8vBh
dX9IRSlOfYyn5TpU9qBtnSR7BVJgv4hHaFi/EGO0AVMPzByTPGHKkduNvWqqcXcc
PWsglTZOHdYMulZXcQx06DztSp6rNasF9Irmq40S2mqXgTgSBCP1n1HbroUHa4lU
bhdKpivaEq3WUC5C7PfJMpl1kGcIFT+IW7NIukEWerul2Q26hCaRkuqHfFPuvUlA
X5eLlUr0A06TXA1vdDK9vJ8E1hatJH8k3EKYUudJccWzRnxZ2s1SP+znzk4ej8+F
e/0+NK1fBvdERekogFU25fPJgDaIMBsqo/wfGHn8+ebj00/9s/LfiagVkIJZcbwA
F4Oao1nKWM22XnHMCktihaCzikOp28SJCCZuXNsD2cJbjwooSGe1ymlpis236OYM
4raBVwzM0UXV/5IgVBu9T2v0lCAPxSmy19UpMOaL2Htj0hIk5TbPWKvWe+zbkBJG
JKfOB5yyQbQ2u/6LV4tPBCYBqdhXIvTlVv0goAnrAMd4N+mfo3ZCjd1InrunhZIC
k0jz4m6CABx+O8n/Xt3DumemB1WcfzmtpCqzFEkpL89xCvhauJUjLR+j9zmO3/Yt
MFJ91UjOJg==
=KCfd
-----END PGP SIGNATURE-----
--- End Message ---
