Bug 2218275 - [RHEL8]python39:3.9/python39: python39-pip: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Summary: [RHEL8]python39:3.9/python39: python39-pip: Python tarfile extraction needs c...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: python3x-pip
Version: 8.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Viktorin
QA Contact: Lukáš Zachar
URL:
Whiteboard:
Depends On: CVE-2007-4559
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-28 14:28 UTC by Charalampos Stratakis
Modified: 2023-08-16 09:48 UTC (History)
4 users (show)

Fixed In Version: python39-3.9-8090020230810143808.7484f1d1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2218267
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-161112 0 None None None 2023-06-28 14:28:54 UTC

Comment 1 Charalampos Stratakis 2023-08-09 23:37:41 UTC 
PR: https://gitlab.com/redhat/centos-stream/rpms/python3x-pip/-/merge_requests/3
Comment 2 Charalampos Stratakis 2023-08-09 23:38:31 UTC 
Verified through the PR with:

"""
import tarfile

def mkinfo(name, **kwargs):
    tarinfo = tarfile.TarInfo(name=name)
    for name, value in kwargs.items():
        setattr(tarinfo, name, value)
    return tarinfo

with tarfile.open('evil.tar.gz', 'w:gz') as tf:
    tf.addfile(mkinfo('./pyproject.toml'))
    tf.addfile(mkinfo('./tmp', type=tarfile.SYMTYPE,
                      linkname='../../../../../../../../tmp'))
    tf.addfile(mkinfo('./tmp/poc'))
"""

And then run python3.9 -m pip install evil.tar.gz

On an unpatched pip the evil.tar.gz will install successfully.

On a fixed/patched one a "tarfile.OutsideDestinationError: 'tmp/poc' would be extracted to '/tmp/poc', which is outside the destination" will appear.
Note You need to log in before you can comment on or make changes to this bug.