Bug 2218247 - [RHEL9]python3.11-pip: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Summary: [RHEL9]python3.11-pip: Python tarfile extraction needs change to avoid a warn...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: python3.11-pip
Version: 9.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Viktorin
QA Contact: Lukáš Zachar
URL:
Whiteboard:
Depends On: CVE-2007-4559
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-28 14:18 UTC by Charalampos Stratakis
Modified: 2023-08-16 09:52 UTC (History)
5 users (show)

Fixed In Version: python3.11-pip-22.3.1-4.el9
Doc Type: No Doc Update
Doc Text:
Clone Of: 2207997
: 2218249 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-161103 0 None None None 2023-06-28 14:20:45 UTC

Comment 1 Charalampos Stratakis 2023-08-09 22:11:15 UTC 
PR: https://gitlab.com/redhat/centos-stream/rpms/python3.11-pip/-/merge_requests/8
Comment 2 Charalampos Stratakis 2023-08-09 22:13:24 UTC 
For verification:

Run this script to create a malformed tarball:

"""
import tarfile

def mkinfo(name, **kwargs):
    tarinfo = tarfile.TarInfo(name=name)
    for name, value in kwargs.items():
        setattr(tarinfo, name, value)
    return tarinfo

with tarfile.open('evil.tar.gz', 'w:gz') as tf:
    tf.addfile(mkinfo('./pyproject.toml'))
    tf.addfile(mkinfo('./tmp', type=tarfile.SYMTYPE,
                      linkname='../../../../../../../../tmp'))
    tf.addfile(mkinfo('./tmp/poc'))
"""

And then run python3.11 -m pip install evil.tar.gz

On an unpatched pip the evil.tar.gz will install successfully.

On a fixed/patched one a "tarfile.OutsideDestinationError: 'tmp/poc' would be extracted to '/tmp/poc', which is outside the destination" will appear.
Comment 3 Charalampos Stratakis 2023-08-09 22:14:26 UTC 
Verified on the PR.
Note You need to log in before you can comment on or make changes to this bug.