> Python 输入验证错误漏洞

Python 输入验证错误漏洞

CNNVD-ID编号	CNNVD-202007-558	CVE编号	CVE-2019-20907
发布时间	2020-07-13	更新时间	2021-01-21
漏洞类型	输入验证错误	漏洞来源	N/A
危险等级	高危	威胁类型	远程
厂商	N/A

漏洞介绍

Python是Python软件基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。

Python 3.8.3及之前版本中的Lib/tarfile.py文件存在安全漏洞，该漏洞源于_proc_pax缺少标头验证。攻击者可借助TAR归档文件利用该漏洞导致无限循环。

漏洞补丁

目前厂商已发布升级了Python 输入验证错误漏洞的补丁，Python 输入验证错误漏洞的补丁获取链接：

https://bugs.python.org/issue39017

参考网址

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/

来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/

来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/

来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html

来源:CONFIRM

链接：https://github.com/python/cpython/pull/21454

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/

来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/

来源:MISC

链接：https://www.oracle.com/security-alerts/cpujan2021.html

来源:GENTOO

链接：https://security.gentoo.org/glsa/202008-01

来源:UBUNTU

链接：https://usn.ubuntu.com/4428-1/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/

来源:CONFIRM

链接：https://bugs.python.org/issue39017

来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html

来源:CONFIRM

链接：https://security.netapp.com/advisory/ntap-20200731-0002/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3614/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/160125/Red-Hat-Security-Advisory-2020-5149-01.html

来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-affect-ibm-cloud-pak-for-data-python-cve-2019-20907/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/160207/Red-Hat-Security-Advisory-2020-5118-01.html

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3828/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159655/Red-Hat-Security-Advisory-2020-4299-01.html

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.4179/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2871/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159650/Red-Hat-Security-Advisory-2020-4273-01.html

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2796/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159811/Red-Hat-Security-Advisory-2020-4433-01.html

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3591/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.4513/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159983/Red-Hat-Security-Advisory-2020-5009-01.html

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2021.0234/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158705/Gentoo-Linux-Security-Advisory-202008-01.html

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3212/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158524/Ubuntu-Security-Notice-USN-4428-1.html

来源:www.nsfocus.net

链接：http://www.nsfocus.net/vulndb/48185

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3995/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/160551/Red-Hat-Security-Advisory-2020-5359-01.html

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3887/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.4237/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.4100/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2511/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.4407/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2021.0013/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2021.0099/

来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-from-python-affects-ibm-netezza-host-management/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/160889/Red-Hat-Security-Advisory-2021-0050-01.html

来源:vigilance.fr

链接：https://vigilance.fr/vulnerability/Python-overload-via-TAR-File-32888

受影响实体

暂无

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-558