Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1975369 Details for
Bug 2222249
python-setuptools: FTBFS in Fedora Rawhide
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh89 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
preliminary patch for pip
cve-2007-4559-tarfile.patch (text/plain), 2.09 KB, created by
Petr Viktorin
on 2023-07-12 12:29:01 UTC
(
hide
)
Description:
preliminary patch for pip
Filename:
MIME Type:
Creator:
Petr Viktorin
Created:
2023-07-12 12:29:01 UTC
Size:
2.09 KB
patch
obsolete
>diff -rU3 pip-21.2.3-orig/src/pip/_internal/utils/unpacking.py pip-21.2.3/src/pip/_internal/utils/unpacking.py >--- pip-21.2.3-orig/src/pip/_internal/utils/unpacking.py 2021-08-06 12:26:52.000000000 +0200 >+++ pip-21.2.3/src/pip/_internal/utils/unpacking.py 2023-07-11 17:05:42.743359968 +0200 >@@ -182,6 +182,7 @@ > try: > leading = has_leading_dir([member.name for member in tar.getmembers()]) > for member in tar.getmembers(): >+ member = tarfile.data_filter(member, location) > fn = member.name > if leading: > fn = split_leading_dir(fn)[1] > > >From 60227b5256d1ec4143e858e90847ae351694449d Mon Sep 17 00:00:00 2001 >From: Petr Viktorin <encukou@gmail.com> >Date: Fri, 30 Jun 2023 17:54:41 +0200 >Subject: [PATCH] (distlib) Extract tarballs more safely on Python with tarfile > filters (PEP 706) > >--- > distlib/util.py | 13 +++++++++++++ > tests/evil.tar.gz | Bin 0 -> 148 bytes > tests/test_util.py | 4 ++++ > 3 files changed, 17 insertions(+) > create mode 100644 tests/evil.tar.gz > >diff --git a/src/pip/_vendor/distlib/util.py b/src/pip/_vendor/distlib/util.py >index e0622e4..4349d0b 100644 >--- a/src/pip/_vendor/distlib/util.py >+++ b/src/pip/_vendor/distlib/util.py >@@ -1249,6 +1249,19 @@ def check_path(path): > for tarinfo in archive.getmembers(): > if not isinstance(tarinfo.name, text_type): > tarinfo.name = tarinfo.name.decode('utf-8') >+ >+ # Limit extraction of dangerous items, if this Python >+ # allows it easily. If not, just trust the input. >+ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters >+ def extraction_filter(member, path): >+ """Run tarfile.tar_filter, but raise the expected ValueError""" >+ # This is only called if the current Python has tarfile filters >+ try: >+ return tarfile.tar_filter(member, path) >+ except tarfile.FilterError as exc: >+ raise ValueError(str(exc)) >+ archive.extraction_filter = extraction_filter >+ > archive.extractall(dest_dir) > > finally:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1975369">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2222249
: 1975369