Bug 2218876

Summary: python-pygments: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Product: Red Hat Enterprise Linux 8 Reporter: Petr Viktorin (pviktori) <pviktori>
Component: python-pygmentsAssignee: Python Maintainers <python-maint>
Status: CLOSED WONTFIX QA Contact: RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.9Flags: pm-rhel: mirror+
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-12 13:33:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 263261    

Comment 1 Petr Viktorin (pviktori) 2023-07-12 13:33:59 UTC 
The extraction only happens when pygments.lexers._php_builtins.py is run as a script. In this case, the script is meant to download new data and *rewrite itself*.
- No one should need to run that.
- You need to be root to rewrite the RPM-installed file.
- The CVE is mitigated by default. Users get a *warning* about possible changed (more secure) behaviour, but the tarball is extracted normally. And safely, unless the user configured a weaker policy,.

Won't fix.