Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

untar vulnerability CVE-2007-4559 #97663

Closed
Denelvo opened this issue Sep 30, 2022 · 1 comment
Closed

untar vulnerability CVE-2007-4559 #97663

Denelvo opened this issue Sep 30, 2022 · 1 comment
Labels
type-bug An unexpected behavior, bug, or error

Comments

@Denelvo
Copy link

Denelvo commented Sep 30, 2022

Bug report

As the sensational article on bleepingcomputer mentions:
https://www.bleepingcomputer.com/news/security/unpatched-15-year-old-python-bug-allows-code-execution-in-350k-projects/

tarfile.extractall() just extracts everything that is in the tarball. Including stuff like ../../../etc/passwd , which is kind of shady, and exploitable - as the video shows.

This has been reported before:
https://mail.python.org/pipermail/python-dev/2007-August/074290.html
I think the response was: "upstream should fix it". (Meaning: GNU tar)

Eventually, upstream did fix it; tar now throws an error when untarring files with '../' in them:

(base)  %tar -tf tarvuln.tar 
tarvuln/
tarvuln/blu.txt
tarvuln/bla.txt
etc/passwd_notreally
../../etc/passwd_notreally
(base)  %tar -xf tarvuln.tar 
**../../etc/passwd_notreally: Path contains '..'**
tar: Error exit delayed from previous errors.

I suggest tarfile.extractall() is changed so it throws that same error as GNU tar.

@Denelvo Denelvo added the type-bug An unexpected behavior, bug, or error label Sep 30, 2022
@vstinner
Copy link
Member

vstinner commented Sep 30, 2022

This issue is a duplicate of #73974

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-bug An unexpected behavior, bug, or error
Projects
None yet
Development

No branches or pull requests

2 participants