Some vulnerabilities have been reported in the Python tarfile module, which can be exploited by malicious people to compromise a vulnerable system. The vulnerabilities are caused due to input validation errors when extracting tar archives. This can be exploited to extract files to arbitrary locations outside the specified directory with the permissions of the application using the tarfile module by using the "../" directory traversal sequence or malicious symlinks in a specially crafted tar archive. The vulnerabilities are reported in Python 2.5. Other versions may also be affected.
CC'ing herd and setting whiteboard status.
other versions are affected
The list's thread upstream is dead and there's neither a bug nor a commit about this. python, could you follow that up?
Upstream bug report is closed and the python documentation was updated: Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of *path*, e.g. members that have absolute filenames starting with ``"/"`` or filenames with two dots ``".."``. See http://bugs.python.org/issue1044 https://bugzilla.redhat.com/show_bug.cgi?id=263261 We won't see an upstream fix for this issue.
In that case I guess we can close this one as INVALID?
Sadly, yes.
