Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove backtracking from parsing tarfile members and headers #121285

Closed
sethmlarson opened this issue Jul 2, 2024 · 5 comments
Closed

Remove backtracking from parsing tarfile members and headers #121285

sethmlarson opened this issue Jul 2, 2024 · 5 comments
Assignees
@gpshead @sethmlarson
Labels
3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.13 bugs and security fixes stdlib Python modules in the Lib dir type-security A security issue

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Jul 2, 2024
edited by bedevere-app bot
Loading

Bug description:

Today the tarfile module parsing of header values allows for backtracking when parsing header values. Headers have a well-known format that doesn't require backtracking to parse reliably, the new method of parsing will only require a single pass over a byte stream.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs
@sethmlarson sethmlarson added the type-security A security issue label Jul 2, 2024
@bedevere-app bedevere-app bot mentioned this issue Jul 2, 2024
Merged
gpshead added a commit that referenced this issue Aug 31, 2024
@sethmlarson @Eclips4 @gpshead
gh-121285: Remove backtracking when parsing tarfile headers (GH-121286)
34ddb64 
* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Aug 31, 2024
@sethmlarson @Eclips4
@gpshead @miss-islington
pythongh-121285: Remove backtracking when parsing tarfile headers (py…
c47341f 
…thonGH-121286)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Aug 31, 2024
@sethmlarson @Eclips4
@gpshead @miss-islington
pythongh-121285: Remove backtracking when parsing tarfile headers (py…
aef7f11 
…thonGH-121286)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
This was referenced Aug 31, 2024
Merged
Merged
@gpshead
Copy link
Member

gpshead commented Aug 31, 2024

main version merged. I'll let you work out any non-automatic backports.

gpshead added a commit that referenced this issue Aug 31, 2024
@miss-islington @sethmlarson
@Eclips4 @gpshead
[3.12] gh-121285: Remove backtracking when parsing tarfile headers (G…
4eaf489 
…H-121286) (GH-123543)

gh-121285: Remove backtracking when parsing tarfile headers (GH-121286)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@picnixz picnixz added stdlib Python modules in the Lib dir 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.8 (EOL) end of life 3.13 bugs and security fixes labels Sep 1, 2024
@picnixz
Copy link
Contributor

picnixz commented Sep 1, 2024

(I just added the labels that still require the backports and you could remove them one by one when you're done)

Yhg1s pushed a commit that referenced this issue Sep 2, 2024
@miss-islington @sethmlarson
@Eclips4 @gpshead
[3.13] gh-121285: Remove backtracking when parsing tarfile headers (G…
ed3a49e 
…H-121286) (#123542)

gh-121285: Remove backtracking when parsing tarfile headers (GH-121286)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Sep 3, 2024
@sethmlarson @Eclips4 @gpshead
[3.11] pythongh-121285: Remove backtracking when parsing tarfile head…
b743113 
…ers (pythonGH-121286)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app bedevere-app bot mentioned this issue Sep 3, 2024
Merged
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Sep 3, 2024
@sethmlarson @Eclips4 @gpshead
[3.10] pythongh-121285: Remove backtracking when parsing tarfile head…
3ea4396 
…ers (pythonGH-121286)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app bedevere-app bot mentioned this issue Sep 3, 2024
Merged
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Sep 3, 2024
@sethmlarson @Eclips4 @gpshead
[3.9] pythongh-121285: Remove backtracking when parsing tarfile heade…
daf223e 
…rs (pythonGH-121286)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app bedevere-app bot mentioned this issue Sep 3, 2024
Merged
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Sep 3, 2024
@sethmlarson @Eclips4 @gpshead
[3.8] pythongh-121285: Remove backtracking when parsing tarfile heade…
80b31d4 
…rs (pythonGH-121286)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app bedevere-app bot mentioned this issue Sep 3, 2024
Merged
pablogsal pushed a commit that referenced this issue Sep 3, 2024
@sethmlarson @Eclips4 @gpshead
[3.11] gh-121285: Remove backtracking when parsing tarfile headers (G…
d449caf 
…H-121286) (#123639)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
pablogsal pushed a commit that referenced this issue Sep 3, 2024
@sethmlarson @Eclips4 @gpshead
[3.10] gh-121285: Remove backtracking when parsing tarfile headers (G…
743acbe 
…H-121286) (#123640)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@frenzymadness
Copy link
Contributor

The CVE description contains:

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

but the test added to verify the fix does not cause/test the ReDoS. I mean, when you run the test with unpatched Python, it raises tarfile.ReadError as well just with a different message, for example:

tarfile.ReadError: file could not be opened successfully:
- method gz: ReadError('not a gzip file')
- method bz2: ReadError('not a bzip2 file')
- method xz: ReadError('not an lzma file')
- method tar: ReadError('bad checksum')

Could you please help me understand how one of the regexes (fox example: br"(\d+) ([^=]+)=") can cause a regex backtracking? There is no combination of greedy nested quatifiers, greedy quantifiers are limited by the character class and I don't see a need for the regex algorithm to go back and consider another path if the match is not found.

@sethmlarson
Copy link
Contributor Author

@frenzymadness Apologies for the confusion, not all of the regular expressions in the PR have issues with backtracking. The regex you mention was replaced to process the entire tar header block in one pass rather than multiple passes.

ambv pushed a commit that referenced this issue Sep 4, 2024
@sethmlarson @Eclips4 @gpshead
[3.8] gh-121285: Remove backtracking when parsing tarfile headers (GH…
7d1f50c 
…-121286) (#123642)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this issue Sep 4, 2024
@sethmlarson @Eclips4 @gpshead
[3.9] gh-121285: Remove backtracking when parsing tarfile headers (GH…
b4225ca 
…-121286) (#123641)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@ambv ambv closed this as completed Sep 4, 2024
frenzymadness pushed a commit to frenzymadness/cpython that referenced this issue Sep 5, 2024
@sethmlarson @Eclips4
@gpshead @frenzymadness
00437: [3.8] pythongh-121285: Remove backtracking when parsing tarfil…
182d6ca 
…e headers (pythonGH-121286) (python#123642)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
frenzymadness added a commit to frenzymadness/cpython that referenced this issue Sep 5, 2024
@sethmlarson @Eclips4
@gpshead @frenzymadness
00437: [3.8] pythongh-121285: Remove backtracking when parsing tarfil…
3209abb 
…e headers (pythonGH-121286) (python#123642)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
@mcepl
Copy link
Contributor

mcepl commented Sep 18, 2024

Patch for Python 3.8 applies more or less painlessly on the 3.6 branch as well.

mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Oct 9, 2024
@sethmlarson @Eclips4
@gpshead @mcepl
[CVE-2024-6232] Remove backtracking when parsing tarfile headers
bfc7d56 
* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Fixes: bsc#1230227 (CVE-2024-6232)
Fixes: gh#python#121285
From-PR: gh#python/cpython!123642
Patch: CVE-2024-6232-ReDOS-backtrack-tarfile.patch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gpshead gpshead

@sethmlarson sethmlarson

Labels
3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.13 bugs and security fixes stdlib Python modules in the Lib dir type-security A security issue
Projects
Tarfile issues
Status: Done
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ambv @gpshead @mcepl @frenzymadness @picnixz @sethmlarson