2218249 – [RHEL8]python3.11-pip: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)

Bug 2218249 - [RHEL8]python3.11-pip: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)

Summary: [RHEL8]python3.11-pip: Python tarfile extraction needs change to avoid a warn...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	python3.11-pip
Sub Component:
Version:	8.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Charalampos Stratakis
QA Contact:	Lukáš Zachar
Docs Contact:
URL:
Whiteboard:
Depends On:	CVE-2007-4559
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-28 14:21 UTC by Charalampos Stratakis
Modified:	2023-08-16 09:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:	python3.11-pip-22.3.1-4.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2218247
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-161105	0	None	None	None	2023-06-28 14:24:39 UTC

Comment 1 Charalampos Stratakis 2023-08-09 22:51:27 UTC

For verification:

Run this script to create a malformed tarball:

"""
import tarfile

def mkinfo(name, **kwargs):
    tarinfo = tarfile.TarInfo(name=name)
    for name, value in kwargs.items():
        setattr(tarinfo, name, value)
    return tarinfo

with tarfile.open('evil.tar.gz', 'w:gz') as tf:
    tf.addfile(mkinfo('./pyproject.toml'))
    tf.addfile(mkinfo('./tmp', type=tarfile.SYMTYPE,
                      linkname='../../../../../../../../tmp'))
    tf.addfile(mkinfo('./tmp/poc'))
"""

And then run python3.11 -m pip install evil.tar.gz

On an unpatched pip the evil.tar.gz will install successfully.

On a fixed/patched one a "tarfile.OutsideDestinationError: 'tmp/poc' would be extracted to '/tmp/poc', which is outside the destination" will appear.

Comment 2 Charalampos Stratakis 2023-08-09 22:51:40 UTC

PR: https://gitlab.com/redhat/centos-stream/rpms/python3.11-pip/-/merge_requests/9

Comment 3 Charalampos Stratakis 2023-08-09 22:52:29 UTC

The issue is fixed via the PR.

Note You need to log in before you can comment on or make changes to this bug.