CVE-2019-20907
Published: 13 July 2020
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
python2.7 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.10 (Impish Indri) |
Needs triage
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Needs triage
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Released
(2.7.18-1~20.04.1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(2.7.17-1~18.04ubuntu1.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(2.7.12-1ubuntu0~16.04.12)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2.7.6-8ubuntu0.6+esm6)
|
|
|
python3.4 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.10 (Impish Indri) |
Does not exist
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(3.4.3-1ubuntu1~14.04.7+esm7)
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.10 (Impish Indri) |
Does not exist
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(3.5.2-2ubuntu0~16.04.11)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needs triage
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.10 (Impish Indri) |
Does not exist
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(3.6.9-1~18.04ubuntu1.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8 |
||
|
python3.7 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.10 (Impish Indri) |
Does not exist
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(3.7.5-2~18.04.4)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://github.com/python/cpython/commit/79c6b602efc9a906c8496f3d5f4d54c54b48fa06 |
||
|
python3.8 Launchpad, Ubuntu, Debian |
Upstream |
Released
(3.8.5-1)
|
| Ubuntu 21.10 (Impish Indri) |
Does not exist
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Released
(3.8.2-1ubuntu1.2)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(3.8.0-3~18.04.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559 |
||