2218876 – python-pygments: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)

Bug 2218876 - python-pygments: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)

Summary: python-pygments: Python tarfile extraction needs change to avoid a warning (C...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	python-pygments
Sub Component:
Version:	8.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Python Maintainers
QA Contact:	RHEL CS Apps Subsystem QE
Docs Contact:
URL:
Whiteboard:
Depends On:	CVE-2007-4559
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-30 11:41 UTC by Petr Viktorin
Modified:	2023-07-12 13:34 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-07-12 13:33:59 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-161325	0	None	None	None	2023-06-30 11:43:27 UTC

Comment 1 Petr Viktorin 2023-07-12 13:33:59 UTC

The extraction only happens when pygments.lexers._php_builtins.py is run as a script. In this case, the script is meant to download new data and *rewrite itself*.
- No one should need to run that.
- You need to be root to rewrite the RPM-installed file.
- The CVE is mitigated by default. Users get a *warning* about possible changed (more secure) behaviour, but the tarball is extracted normally. And safely, unless the user configured a weaker policy,.

Won't fix.

Note You need to log in before you can comment on or make changes to this bug.