pyrox.dev
python: Apply patch for CVE-2019-20907
Incluing the patch file in-tree because the upstream patch is not
intended to apply for Python 2.
Re #94004
authored by Christian Kauhaus and committed by Frederik Rietdijk a14859c6 46ee7ddc
+24
pkgs/development/interpreters/python/cpython/2.7/CVE-2019-20907.patch
+24
pkgs/development/interpreters/python/cpython/2.7/CVE-2019-20907.patch
···
1
+
From 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4 Mon Sep 17 00:00:00 2001
2
+
From: Rishi <rishi_devan@mail.com>
3
+
Date: Wed, 15 Jul 2020 13:51:00 +0200
4
+
Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
5
+
(GH-21454)
6
+
7
+
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
8
+
(CVE-2019-20907).
9
+
---
10
+
Lib/tarfile.py | 2 ++
11
+
12
+
diff --git a/Lib/tarfile.py b/Lib/tarfile.py
13
+
index e2b60532f6..6769066cab 100755
14
+
--- a/Lib/tarfile.py
15
+
+++ b/Lib/tarfile.py
16
+
@@ -1249,6 +1249,8 @@ class TarInfo(object):
17
+
18
+
length, keyword = match.groups()
19
+
length = int(length)
20
+
+ if length == 0:
21
+
+ raise InvalidHeaderError("invalid header")
22
+
value = buf[match.end(2) + 1:match.start(1) + length - 1]
23
+
24
+
# Normally, we could just use "utf-8" as the encoding and "strict"
+3
pkgs/development/interpreters/python/cpython/2.7/default.nix
+3
pkgs/development/interpreters/python/cpython/2.7/default.nix
···
90
90
91
91
# Backport from CPython 3.8 of a good list of tests to run for PGO.
92
92
./profile-task.patch
93
+
94
+
# Patch is likely to go away in the next release (if there is any)
95
+
./CVE-2019-20907.patch
93
96
] ++ optionals (x11Support && stdenv.isDarwin) [
94
97
./use-correct-tcl-tk-on-darwin.patch
95
98
] ++ optionals stdenv.isLinux [