Bug 2218247

Summary:	[RHEL9]python3.11-pip: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Product:	Red Hat Enterprise Linux 9	Reporter:	Charalampos Stratakis <cstratak>
Component:	python3.11-pip	Assignee:	Petr Viktorin <pviktori>
Status:	VERIFIED ---	QA Contact:	Lukáš Zachar <lzachar>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	9.3	CC:	cstratak, pviktori, python-maint, rhel-cs-apps-subsystem-qe, torsava
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	python3.11-pip-22.3.1-4.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:	2207997
Clones:	2218249 (view as bug list)		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	263261
Bug Blocks:

Comment 1 Charalampos Stratakis 2023-08-09 22:11:15 UTC

PR: https://gitlab.com/redhat/centos-stream/rpms/python3.11-pip/-/merge_requests/8

Comment 2 Charalampos Stratakis 2023-08-09 22:13:24 UTC

For verification:

Run this script to create a malformed tarball:

"""
import tarfile

def mkinfo(name, **kwargs):
    tarinfo = tarfile.TarInfo(name=name)
    for name, value in kwargs.items():
        setattr(tarinfo, name, value)
    return tarinfo

with tarfile.open('evil.tar.gz', 'w:gz') as tf:
    tf.addfile(mkinfo('./pyproject.toml'))
    tf.addfile(mkinfo('./tmp', type=tarfile.SYMTYPE,
                      linkname='../../../../../../../../tmp'))
    tf.addfile(mkinfo('./tmp/poc'))
"""

And then run python3.11 -m pip install evil.tar.gz

On an unpatched pip the evil.tar.gz will install successfully.

On a fixed/patched one a "tarfile.OutsideDestinationError: 'tmp/poc' would be extracted to '/tmp/poc', which is outside the destination" will appear.

Comment 3 Charalampos Stratakis 2023-08-09 22:14:26 UTC

Verified on the PR.