Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 191042

Summary: dev-lang/python tarfile Module Directory Traversal and Symlink Vulnerability (CVE-2007-4559)
Product: Gentoo Security Reporter: Matt Fleming (RETIRED) <mjf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: major CC: python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/26623/
Whiteboard: A2 [upstream]
Package list:
Runtime testing required: ---

Description Matt Fleming (RETIRED) gentoo-dev 2007-09-02 11:21:30 UTC 
Some vulnerabilities have been reported in the Python tarfile module, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerabilities are caused due to input validation errors when extracting tar archives. This can be exploited to extract files to arbitrary locations outside the specified directory with the permissions of the application using the tarfile module by using the "../" directory traversal sequence or malicious symlinks in a specially crafted tar archive.

The vulnerabilities are reported in Python 2.5. Other versions may also be affected.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-09-02 11:25:30 UTC 
CC'ing herd and setting whiteboard status.
Comment 2 Jonathan Smith (RETIRED) gentoo-dev 2007-09-03 00:05:18 UTC 
other versions are affected
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-09-09 12:53:54 UTC 
The list's thread upstream is dead and there's neither a bug nor a commit about this.
python, could you follow that up?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-09-18 17:05:19 UTC 
Upstream bug report is closed and the python documentation was updated:
   Never extract archives from untrusted sources without prior inspection.
   It is possible that files are created outside of *path*, e.g. members
   that have absolute filenames starting with ``"/"`` or filenames with two
   dots ``".."``.

See
  http://bugs.python.org/issue1044
  https://bugzilla.redhat.com/show_bug.cgi?id=263261

We won't see an upstream fix for this issue.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-24 16:33:21 UTC 
In that case I guess we can close this one as INVALID?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-09-24 21:55:33 UTC 
Sadly, yes.