CVE-2019-20907
📋 TL;DR
This vulnerability allows an attacker to craft a malicious TAR archive that causes an infinite loop when processed by Python's tarfile module. This leads to denial of service (DoS) by consuming CPU resources indefinitely. All Python applications using tarfile.open() to process untrusted TAR archives are affected.
💻 Affected Systems
- Python
- Any application using Python's tarfile module
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to infinite CPU consumption, potentially affecting multiple processes if the malicious archive is processed in a shared environment.
Likely Case
Denial of service affecting the specific application processing the malicious TAR archive, causing service disruption.
If Mitigated
Minimal impact if proper input validation and resource limits are in place, with the process being terminated after hitting resource limits.
🎯 Exploit Status
Exploitation requires the attacker to provide a malicious TAR archive to a vulnerable application. The vulnerability is well-documented with proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 3.8.4 and later
Vendor Advisory: https://bugs.python.org/issue39017
Restart Required: Yes
Instructions:
1. Upgrade Python to version 3.8.4 or later. 2. Restart all Python applications and services. 3. Test that tarfile processing works correctly with legitimate archives.
🔧 Temporary Workarounds
Input validation wrapper
allImplement custom validation before passing TAR archives to tarfile.open()
# Python code snippet to validate TAR headers
import tarfile
import io
def safe_tar_open(filename):
# Add custom validation logic here
# Consider checking file size, header structure
# before calling tarfile.open()
pass
Resource limiting
linuxUse resource limits or timeouts when processing TAR archives
# Use signal.alarm or threading.Timer for timeout
import signal
import tarfile
def timeout_handler(signum, frame):
raise TimeoutError("TAR processing timeout")
signal.signal(signal.SIGALRM, timeout_handler)
signal.alarm(30) # 30 second timeout
# Process TAR file here
signal.alarm(0)
🧯 If You Can't Patch
- Implement strict input validation for TAR archives before processing
- Deploy resource monitoring and automatic process termination for stuck tarfile operations
🔍 How to Verify
Check if Vulnerable:
Check Python version: python --version. If version is 3.8.3 or earlier, the system is vulnerable if using tarfile module.Check Version:
python --versionVerify Fix Applied:
After patching, verify Python version is 3.8.4 or later and test tarfile processing with sample archives.📡 Detection & Monitoring
Log Indicators:
- High CPU usage by Python processes
- Processes stuck in tarfile operations
- Application timeouts when processing archives
Network Indicators:
- Unusually large number of TAR file uploads
- TAR files with abnormal header structures
SIEM Query:
Processes with high CPU usage AND command containing 'python' AND (command containing 'tarfile' OR 'tar')🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html
- https://bugs.python.org/issue39017
- https://github.com/python/cpython/pull/21454
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/
- https://security.gentoo.org/glsa/202008-01
- https://security.netapp.com/advisory/ntap-20200731-0002/
- https://usn.ubuntu.com/4428-1/
- https://www.oracle.com/security-alerts/cpujan2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html
- https://bugs.python.org/issue39017
- https://github.com/python/cpython/pull/21454
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/
- https://security.gentoo.org/glsa/202008-01
- https://security.netapp.com/advisory/ntap-20200731-0002/
- https://usn.ubuntu.com/4428-1/
- https://www.oracle.com/security-alerts/cpujan2021.html
