Skip to content

CVE-2007-4559 Patch #408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lucashuy merged 7 commits into from
Nov 22, 2022
Merged

CVE-2007-4559 Patch #408

lucashuy merged 7 commits into from
Nov 22, 2022

Conversation

@TrellixVulnTeam
Copy link
Contributor

@TrellixVulnTeam TrellixVulnTeam commented Nov 20, 2022

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

@TrellixVulnTeam TrellixVulnTeam requested a review from a team as a code owner November 20, 2022 22:20
@github-actions github-actions bot added area/workflow/node_npm area/workflow/python_pip area/workflow/ruby_bundler pr/external stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. labels Nov 20, 2022
hawflau
hawflau previously requested changes Nov 21, 2022
View reviewed changes
Copy link
Contributor

@hawflau hawflau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @TrellixVulnTeam for the security patch!

I believe we should look to move is_within_directory and safe_extract to a common place to reduce repetition. Also should we add some tests?

@mildaniel mildaniel removed the stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. label Nov 22, 2022
hnnasit
hnnasit approved these changes Nov 22, 2022
View reviewed changes
Copy link
Contributor

@hnnasit hnnasit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@hawflau hawflau dismissed their stale review November 22, 2022 17:53

dismissing

lucashuy
lucashuy reviewed Nov 22, 2022
View reviewed changes
@lucashuy lucashuy enabled auto-merge (squash) November 22, 2022 22:44
@lucashuy lucashuy merged commit 1191c96 into aws:develop Nov 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hawflau hawflau hawflau left review comments

@lucashuy lucashuy lucashuy approved these changes

@hnnasit hnnasit hnnasit approved these changes

@qingchm qingchm Awaiting requested review from qingchm qingchm was automatically assigned from aws/serverless-application-experience-sbt

Assignees

No one assigned

Labels

area/workflow/node_npm area/workflow/python_pip area/workflow/ruby_bundler pr/external

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@TrellixVulnTeam @hawflau @lucashuy @hnnasit @mildaniel