Bugzilla – Bug 1203750
VUL-0: CVE-2007-4559: python36,python3,python39,python310,python,python27: python tarfile module directory traversal
Last modified: 2024-06-13 15:44:28 UTC
rh#263261 Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4559 to the following vulnerability: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. References: Issue and additional attack vectors were discussed in following thread on python-dev mailinglist: http://mail.python.org/pipermail/python-dev/2007-August/074290.html Upstream bug tracking possible fixes for the issue: http://bugs.python.org/issue1044 References: https://bugzilla.redhat.com/show_bug.cgi?id=263261 https://bugzilla.redhat.com/show_bug.cgi?id=430635 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4559 http://people.canonical.com/~ubuntu-security/cve/2007/CVE-2007-4559.html https://access.redhat.com/security/cve/CVE-2007-4559 https://www.cve.org/CVERecord?id=CVE-2007-4559
still discussed upstream, no final solution
The current proposed solution is https://github.com/python/cpython/issues/73974, but the upstream has not agreed on the correct solution yet.
This problem is around for a long time in the python interpreter. The solution given some time ago was to add a warning in the API doc [1], so the user of tarfile module is the responsible of the paths check, but even today the discussion about what to do is going on, with different solution proposed. One possible solution is to add the traversal path check by default in extract and raise an exception, but there's no consensus about it upstream, and changing the default behavior could break a lot of things, so it's not as simple as that. So taking the decision downstream and patch doesn't seems correct to me until upstream choose a direction. [1] https://docs.python.org/3/library/tarfile.html?highlight=extractall#tarfile.TarFile.extractall
Possible upstream proposal https://discuss.python.org/t/policies-for-tarfile-extractall-a-k-a-fixing-cve-2007-4559/23149
It is a PEP now https://peps.python.org/pep-0706/
This is an autogenerated message for OBS integration: This bug (1203750) was mentioned in https://build.opensuse.org/request/show/1083438 Factory / python310
This is an autogenerated message for OBS integration: This bug (1203750) was mentioned in https://build.opensuse.org/request/show/1083777 Factory / python310
This is an autogenerated message for OBS integration: This bug (1203750) was mentioned in https://build.opensuse.org/request/show/1084262 Factory / python311
This is an autogenerated message for OBS integration: This bug (1203750) was mentioned in https://build.opensuse.org/request/show/1090625 Factory / python38
SUSE-SU-2023:2463-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1203750 CVE References: CVE-2007-4559 Sources used: openSUSE Leap 15.4 (src): python310-documentation-3.10.11-150400.4.25.1, python310-3.10.11-150400.4.25.1, python310-core-3.10.11-150400.4.25.1 openSUSE Leap 15.5 (src): python310-documentation-3.10.11-150400.4.25.1, python310-3.10.11-150400.4.25.1, python310-core-3.10.11-150400.4.25.1 Python 3 Module 15-SP4 (src): python310-3.10.11-150400.4.25.1, python310-core-3.10.11-150400.4.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2473-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (moderate) Bug References: 1203750, 1211158 CVE References: CVE-2007-4559 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python36-core-3.6.15-46.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-core-3.6.15-46.1, python36-3.6.15-46.1 SUSE Linux Enterprise Server 12 SP5 (src): python36-core-3.6.15-46.1, python36-3.6.15-46.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-core-3.6.15-46.1, python36-3.6.15-46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2509-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (moderate) Bug References: 1203750, 1211158 CVE References: CVE-2007-4559 Sources used: SUSE Linux Enterprise Micro 5.1 (src): python3-3.6.15-150000.3.132.1, python3-core-3.6.15-150000.3.132.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2517-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (moderate) Bug References: 1203750, 1211158 CVE References: CVE-2007-4559 Sources used: openSUSE Leap Micro 5.3 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 openSUSE Leap 15.4 (src): python3-documentation-3.6.15-150300.10.48.1, python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 openSUSE Leap 15.5 (src): python3-documentation-3.6.15-150300.10.48.1, python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 SUSE Linux Enterprise Micro 5.3 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 SUSE Linux Enterprise Micro 5.4 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 Basesystem Module 15-SP4 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 Basesystem Module 15-SP5 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 Development Tools Module 15-SP4 (src): python3-core-3.6.15-150300.10.48.1 Development Tools Module 15-SP5 (src): python3-core-3.6.15-150300.10.48.1 SUSE Linux Enterprise Real Time 15 SP3 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 SUSE Linux Enterprise Micro 5.2 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Without answer to comment 35, everything else is done.
This is an autogenerated message for OBS integration: This bug (1203750) was mentioned in https://build.opensuse.org/request/show/1095863 Factory / python310
This is an autogenerated message for OBS integration: This bug (1203750) was mentioned in https://build.opensuse.org/request/show/1095964 Factory / python38
This is an autogenerated message for OBS integration: This bug (1203750) was mentioned in https://build.opensuse.org/request/show/1096213 Factory / python39
This is an autogenerated message for OBS integration: This bug (1203750) was mentioned in https://build.opensuse.org/request/show/1096536 Factory / python311
SUSE-SU-2023:2778-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1203750 CVE References: CVE-2007-4559 Sources used: Python 3 Module 15-SP4 (src): python311-3.11.3-150400.9.12.1, python311-core-3.11.3-150400.9.12.1, python311-documentation-3.11.3-150400.9.12.1 Python 3 Module 15-SP5 (src): python311-3.11.3-150400.9.12.1, python311-core-3.11.3-150400.9.12.1, python311-documentation-3.11.3-150400.9.12.1 openSUSE Leap 15.4 (src): python311-3.11.3-150400.9.12.1, python311-core-3.11.3-150400.9.12.1, python311-documentation-3.11.3-150400.9.12.1 openSUSE Leap 15.5 (src): python311-3.11.3-150400.9.12.1, python311-core-3.11.3-150400.9.12.1, python311-documentation-3.11.3-150400.9.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2884-1: An update that solves two vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1203750, 1208471, 1211765 CVE References: CVE-2007-4559, CVE-2023-24329 Sources used: openSUSE Leap 15.5 (src): python310-3.10.12-150400.4.30.1, python310-documentation-3.10.12-150400.4.30.1, python310-core-3.10.12-150400.4.30.1 Python 3 Module 15-SP4 (src): python310-3.10.12-150400.4.30.1, python310-core-3.10.12-150400.4.30.1 openSUSE Leap 15.4 (src): python310-3.10.12-150400.4.30.1, python310-documentation-3.10.12-150400.4.30.1, python310-core-3.10.12-150400.4.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2957-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1203750, 1208471 CVE References: CVE-2007-4559, CVE-2023-24329 Sources used: openSUSE Leap 15.4 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1, python39-documentation-3.9.17-150300.4.30.1 openSUSE Leap 15.5 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1, python39-documentation-3.9.17-150300.4.30.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 SUSE Linux Enterprise Real Time 15 SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 SUSE Manager Proxy 4.2 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 SUSE Manager Retail Branch Server 4.2 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 SUSE Manager Server 4.2 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 SUSE Enterprise Storage 7.1 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
We currently do not plan to fix this for python 2. Background is that the patch is huge and risky to introduce regressions, also the python team is in a mixed state of where this should be fixed and up to now considered this fix to be in callers of the module.
SUSE-SU-2023:2641-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (moderate) Bug References: 1203750, 1211158 CVE References: CVE-2007-4559 Sources used: openSUSE Leap 15.3 (src): python39-core-3.9.16-150300.4.27.1, python39-3.9.16-150300.4.27.1, python39-documentation-3.9.16-150300.4.27.1 openSUSE Leap 15.4 (src): python39-core-3.9.16-150300.4.27.1, python39-3.9.16-150300.4.27.1, python39-documentation-3.9.16-150300.4.27.1 openSUSE Leap 15.5 (src): python39-core-3.9.16-150300.4.27.1, python39-3.9.16-150300.4.27.1, python39-documentation-3.9.16-150300.4.27.1 SUSE Linux Enterprise Real Time 15 SP3 (src): python39-core-3.9.16-150300.4.27.1, python39-3.9.16-150300.4.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2937-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1203750, 1208471 CVE References: CVE-2007-4559, CVE-2023-24329 Sources used: openSUSE Leap 15.4 (src): python311-3.11.4-150400.9.15.1, python311-documentation-3.11.4-150400.9.15.2, python311-core-3.11.4-150400.9.15.3 openSUSE Leap 15.5 (src): python311-3.11.4-150400.9.15.1, python311-documentation-3.11.4-150400.9.15.2, python311-core-3.11.4-150400.9.15.3 Python 3 Module 15-SP4 (src): python311-3.11.4-150400.9.15.1, python311-documentation-3.11.4-150400.9.15.2, python311-core-3.11.4-150400.9.15.3 Python 3 Module 15-SP5 (src): python311-3.11.4-150400.9.15.1, python311-documentation-3.11.4-150400.9.15.2, python311-core-3.11.4-150400.9.15.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.