diff --git a/CVE-2019-20907.patch b/CVE-2019-20907.patch
new file mode 100644
index 0000000000000000000000000000000000000000..47ceeb34e9dd9315f5e3105c2770c5bc5527c034
--- /dev/null
+++ b/CVE-2019-20907.patch
@@ -0,0 +1,29 @@
+Form 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001
+From: Rajarishi Devarajan <rishi93dev@gmail.com>
+Date: Sun, 12 Jul 2020 23:47:42 +0200
+Subject: [PATCH] bpo-39017 Fix infinite loop in the tarfile module
+
+Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop
+
+Signed-off-by:Rajarishi Devarajan <rishi93dev@gmail.com>
+
+---
+ Lib/tarfile.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index adf91d5..574a6bb 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1400,6 +1400,8 @@ class TarInfo(object):
+ 
+             length, keyword = match.groups()
+             length = int(length)
++            if length == 0:
++                raise InvalidHeaderError("invalid header")
+             value = buf[match.end(2) + 1:match.start(1) + length - 1]
+ 
+             keyword = keyword.decode("utf8")
+-- 
+2.23.0
+
diff --git a/python2.spec b/python2.spec
index f73076e418703820406879f47b6bb3aef6b7ab10..666e78e660a94ca94ae11e6d755926e23b2757f9 100644
--- a/python2.spec
+++ b/python2.spec
@@ -15,7 +15,7 @@
 %undefine _debuginfo_subpackages
 Name:      python2
 Version:   2.7.18
-Release:   2
+Release:   3
 Summary:   Python is an interpreted, interactive object-oriented programming language suitable
 License:   Python
 URL:       https://www.python.org/
@@ -80,6 +80,7 @@ Patch53: CVE-2017-18207.patch
 Patch54: bugfix-excessive-memory-usage-when-using-regular-expressions.patch
 Patch55: CVE-2020-8492.patch
 Patch56: CVE-2019-9674.patch
+Patch57: CVE-2019-20907.patch
 
 BuildRequires: libdb-devel libffi-devel valgrind-devel ncurses-devel expat-devel readline-devel
 BuildRequires: openssl-devel libtirpc-devel tcl-devel tk-devel glibc-devel libnsl2-devel
@@ -614,6 +615,12 @@ sed -e "s|LIBRARY_PATH|%{_libdir}/%{py_INSTSONAME_debug}|" %{SOURCE1} \
 %{dynload_dir}/_testcapimodule_d.so
 
 %changelog
+* Tue Sep 08 2020 shangyibin<shangyibin1@huawei.com> - 2.7.18-3
+- Type:cves
+- ID:CVE-2019-20907
+- SUG:NA
+- DESC:fix CVE-2019-20907
+
 * Fri Aug 07 2020 Leo Fang <leofang_94@163.com> - 2.7.18-2
 - delete useless patch&repatch CVE-2017-28207 and modify yaml file