PublicDateAtUSN: 2020-07-13 13:15:00 UTC
Candidate: CVE-2019-20907
PublicDate: 2020-07-13 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907
 https://bugs.python.org/issue39017
 https://github.com/python/cpython/pull/21454
 https://ubuntu.com/security/notices/USN-4428-1
 https://ubuntu.com/security/notices/USN-4754-3
Description:
 In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a
 TAR archive leading to an infinite loop when opened by tarfile.open,
 because _proc_pax lacks header validation.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_python2.7:
upstream_python2.7: needs-triage
precise/esm_python2.7: released (2.7.3-0ubuntu3.18)
trusty_python2.7: ignored (out of standard support)
trusty/esm_python2.7: released (2.7.6-8ubuntu0.6+esm6)
xenial_python2.7: released (2.7.12-1ubuntu0~16.04.12)
esm-infra/xenial_python2.7: released (2.7.12-1ubuntu0~16.04.12)
bionic_python2.7: released (2.7.17-1~18.04ubuntu1.1)
eoan_python2.7: ignored (reached end-of-life)
focal_python2.7: released (2.7.18-1~20.04.1)
groovy_python2.7: ignored (reached end-of-life)
hirsute_python2.7: ignored (reached end-of-life)
impish_python2.7: needs-triage
jammy_python2.7: needs-triage
devel_python2.7: needs-triage

Patches_python3.4:
upstream_python3.4: needs-triage
precise/esm_python3.4: DNE
trusty_python3.4: ignored (out of standard support)
trusty/esm_python3.4: released (3.4.3-1ubuntu1~14.04.7+esm7)
xenial_python3.4: DNE
bionic_python3.4: DNE
eoan_python3.4: DNE
focal_python3.4: DNE
groovy_python3.4: DNE
hirsute_python3.4: DNE
impish_python3.4: DNE
jammy_python3.4: DNE
devel_python3.4: DNE

Patches_python3.5:
upstream_python3.5: needs-triage
precise/esm_python3.5: DNE
trusty_python3.5: ignored (out of standard support)
trusty/esm_python3.5: needs-triage
xenial_python3.5: released (3.5.2-2ubuntu0~16.04.11)
esm-infra/xenial_python3.5: released (3.5.2-2ubuntu0~16.04.11)
bionic_python3.5: DNE
eoan_python3.5: DNE
focal_python3.5: DNE
groovy_python3.5: DNE
hirsute_python3.5: DNE
impish_python3.5: DNE
jammy_python3.5: DNE
devel_python3.5: DNE

Patches_python3.6:
 upstream: https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8
upstream_python3.6: needs-triage
precise/esm_python3.6: DNE
trusty_python3.6: DNE
trusty/esm_python3.6: DNE
xenial_python3.6: DNE
bionic_python3.6: released (3.6.9-1~18.04ubuntu1.1)
eoan_python3.6: DNE
focal_python3.6: DNE
groovy_python3.6: DNE
hirsute_python3.6: DNE
impish_python3.6: DNE
jammy_python3.6: DNE
devel_python3.6: DNE

Patches_python3.7:
 upstream: https://github.com/python/cpython/commit/79c6b602efc9a906c8496f3d5f4d54c54b48fa06
upstream_python3.7: needs-triage
precise/esm_python3.7: DNE
trusty_python3.7: DNE
trusty/esm_python3.7: DNE
xenial_python3.7: DNE
bionic_python3.7: needed
eoan_python3.7: ignored (reached end-of-life)
focal_python3.7: DNE
groovy_python3.7: DNE
hirsute_python3.7: DNE
impish_python3.7: DNE
jammy_python3.7: DNE
devel_python3.7: DNE

Patches_python3.8:
 upstream: https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559
upstream_python3.8: released (3.8.5-1)
precise/esm_python3.8: DNE
trusty_python3.8: DNE
trusty/esm_python3.8: DNE
xenial_python3.8: DNE
bionic_python3.8: needed
eoan_python3.8: ignored (reached end-of-life)
focal_python3.8: released (3.8.2-1ubuntu1.2)
groovy_python3.8: not-affected (3.8.5-1)
hirsute_python3.8: DNE
impish_python3.8: DNE
jammy_python3.8: DNE
devel_python3.8: DNE