Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

00437: [3.8] gh-121285: Remove backtracking when parsing tarfile head… #87

Merged

Conversation

frenzymadness
Copy link
Member

…ers (pythonGH-121286) (python#123642)

  • Remove backtracking when parsing tarfile headers
  • Rewrite PAX header parsing to be stricter
  • Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

@frenzymadness
Copy link
Member Author

I had to remove one usage of the walrus operator to make the patch work.

@hroncok
Copy link
Member

hroncok commented Sep 5, 2024

Could you please remove the 3.8 bit from the commit message? It is kinda confusing.

@stratakis
Copy link
Member

I would rewrite the commit message something like 00437: CVE-2024-6232 Remove backtracking when parsing tarfile headers

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
@frenzymadness
Copy link
Member Author

Fixed and reflected everywhere.

@frenzymadness
Copy link
Member Author

This PR completely slipped out of my radar. The fix is already delivered in all Fedora releases so I'm going to merge this as well and add a proper tag.

@frenzymadness frenzymadness merged commit 05f8c58 into fedora-python:fedora-3.6 Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants