2207997 – [RHEL9]python-pip: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)

Bug 2207997 - [RHEL9]python-pip: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)

Summary: [RHEL9]python-pip: Python tarfile extraction needs change to avoid a warning ...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	python-pip
Sub Component:
Version:	9.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Viktorin
QA Contact:	Lukáš Zachar
Docs Contact:
URL:
Whiteboard:
Depends On:	CVE-2007-4559
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-17 15:02 UTC by Petr Viktorin
Modified:	2023-08-16 09:53 UTC (History)
CC List:	1 user (show)
Fixed In Version:	python-pip-21.2.3-7.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2218241 2218247 2218267 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	pypa pip issues 12111	0	None	open	Use tarfile filters (PEP 706) when unpacking?	2023-06-27 15:27:54 UTC
Red Hat Issue Tracker	RHELPLAN-157520	0	None	None	None	2023-05-17 15:04:53 UTC

Comment 1 Petr Viktorin 2023-05-17 16:05:43 UTC

> We may need a security report for pip

Probably a false alarm.
I *can* make a tarball that causes this function to write a file to an arbitrary location in the filesystem... but all code paths I could find in pip that use this function then run code from the extracted tarball. So users need to trust what they `pip download`, anyway.

Comment 2 Petr Viktorin 2023-06-27 15:27:54 UTC

Upstream issue: https://github.com/pypa/pip/issues/12111
(This doesn't cover bundled libraries)

Comment 3 Charalampos Stratakis 2023-08-10 12:11:50 UTC

PR: https://gitlab.com/redhat/centos-stream/rpms/python-pip/-/merge_requests/12

Comment 4 Charalampos Stratakis 2023-08-10 12:13:14 UTC

Verified in the PR.

Comment 5 Charalampos Stratakis 2023-08-10 12:13:52 UTC

For verification:

Run this script to create a malformed tarball:

"""
import tarfile

def mkinfo(name, **kwargs):
    tarinfo = tarfile.TarInfo(name=name)
    for name, value in kwargs.items():
        setattr(tarinfo, name, value)
    return tarinfo

with tarfile.open('evil.tar.gz', 'w:gz') as tf:
    tf.addfile(mkinfo('./pyproject.toml'))
    tf.addfile(mkinfo('./tmp', type=tarfile.SYMTYPE,
                      linkname='../../../../../../../../tmp'))
    tf.addfile(mkinfo('./tmp/poc'))
"""

And then run python3 -m pip install evil.tar.gz

On an unpatched pip the evil.tar.gz will install successfully.

On a fixed/patched one a "tarfile.OutsideDestinationError: 'tmp/poc' would be extracted to '/tmp/poc', which is outside the destination" will appear.

Note You need to log in before you can comment on or make changes to this bug.