Bug 1203750 (CVE-2007-4559) - VUL-0: CVE-2007-4559: python36,python3,python39,python310,python,python27: python tarfile module directory traversal
Summary: VUL-0: CVE-2007-4559: python36,python3,python39,python310,python,python27: py...
Status: RESOLVED FIXED
Alias: CVE-2007-4559
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/57438/
Whiteboard: CVSSv3.1:SUSE:CVE-2007-4559:5.4:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-26 11:00 UTC by Robert Frohl
Modified: 2024-06-13 15:44 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-09-26 11:00:37 UTC
rh#263261

Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4559
to the following vulnerability:

Directory traversal vulnerability in the (1) extract and (2) extractall
functions in the tarfile module in Python allows user-assisted remote attackers
to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR
archive, a related issue to CVE-2001-1267.

References:

Issue and additional attack vectors were discussed in following thread on
python-dev mailinglist:

http://mail.python.org/pipermail/python-dev/2007-August/074290.html

Upstream bug tracking possible fixes for the issue:

http://bugs.python.org/issue1044

References:
https://bugzilla.redhat.com/show_bug.cgi?id=263261
https://bugzilla.redhat.com/show_bug.cgi?id=430635
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4559
http://people.canonical.com/~ubuntu-security/cve/2007/CVE-2007-4559.html
https://access.redhat.com/security/cve/CVE-2007-4559
https://www.cve.org/CVERecord?id=CVE-2007-4559
Comment 5 Robert Frohl 2022-10-11 09:05:02 UTC
still discussed upstream, no final solution
Comment 7 Matej Cepl 2022-10-30 23:55:42 UTC
The current proposed solution is https://github.com/python/cpython/issues/73974, but the upstream has not agreed on the correct solution yet.
Comment 14 Daniel Garcia 2023-01-16 08:56:17 UTC
This problem is around for a long time in the python interpreter. The solution given some time ago was to add a warning in the API doc [1], so the user of tarfile module is the responsible of the paths check, but even today the discussion about what to do is going on, with different solution proposed.

One possible solution is to add the traversal path check by default in extract and raise an exception, but there's no consensus about it upstream, and changing the default behavior could break a lot of things, so it's not as simple as that. So taking the decision downstream and patch doesn't seems correct to me until upstream choose a direction.

[1] https://docs.python.org/3/library/tarfile.html?highlight=extractall#tarfile.TarFile.extractall
Comment 16 Matej Cepl 2023-02-16 23:09:59 UTC
It is a PEP now https://peps.python.org/pep-0706/
Comment 18 OBSbugzilla Bot 2023-04-28 08:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1203750) was mentioned in
https://build.opensuse.org/request/show/1083438 Factory / python310
Comment 19 OBSbugzilla Bot 2023-04-30 20:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1203750) was mentioned in
https://build.opensuse.org/request/show/1083777 Factory / python310
Comment 20 OBSbugzilla Bot 2023-05-03 12:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1203750) was mentioned in
https://build.opensuse.org/request/show/1084262 Factory / python311
Comment 26 OBSbugzilla Bot 2023-06-03 10:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1203750) was mentioned in
https://build.opensuse.org/request/show/1090625 Factory / python38
Comment 33 Maintenance Automation 2023-06-08 08:30:21 UTC
SUSE-SU-2023:2463-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1203750
CVE References: CVE-2007-4559
Sources used:
openSUSE Leap 15.4 (src): python310-documentation-3.10.11-150400.4.25.1, python310-3.10.11-150400.4.25.1, python310-core-3.10.11-150400.4.25.1
openSUSE Leap 15.5 (src): python310-documentation-3.10.11-150400.4.25.1, python310-3.10.11-150400.4.25.1, python310-core-3.10.11-150400.4.25.1
Python 3 Module 15-SP4 (src): python310-3.10.11-150400.4.25.1, python310-core-3.10.11-150400.4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Maintenance Automation 2023-06-08 16:30:03 UTC
SUSE-SU-2023:2473-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (moderate)
Bug References: 1203750, 1211158
CVE References: CVE-2007-4559
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python36-core-3.6.15-46.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-core-3.6.15-46.1, python36-3.6.15-46.1
SUSE Linux Enterprise Server 12 SP5 (src): python36-core-3.6.15-46.1, python36-3.6.15-46.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-core-3.6.15-46.1, python36-3.6.15-46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Maintenance Automation 2023-06-14 20:30:11 UTC
SUSE-SU-2023:2509-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (moderate)
Bug References: 1203750, 1211158
CVE References: CVE-2007-4559
Sources used:
SUSE Linux Enterprise Micro 5.1 (src): python3-3.6.15-150000.3.132.1, python3-core-3.6.15-150000.3.132.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Maintenance Automation 2023-06-15 08:30:06 UTC
SUSE-SU-2023:2517-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (moderate)
Bug References: 1203750, 1211158
CVE References: CVE-2007-4559
Sources used:
openSUSE Leap Micro 5.3 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
openSUSE Leap 15.4 (src): python3-documentation-3.6.15-150300.10.48.1, python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
openSUSE Leap 15.5 (src): python3-documentation-3.6.15-150300.10.48.1, python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
SUSE Linux Enterprise Micro 5.3 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
SUSE Linux Enterprise Micro 5.4 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
Basesystem Module 15-SP4 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
Basesystem Module 15-SP5 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
Development Tools Module 15-SP4 (src): python3-core-3.6.15-150300.10.48.1
Development Tools Module 15-SP5 (src): python3-core-3.6.15-150300.10.48.1
SUSE Linux Enterprise Real Time 15 SP3 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
SUSE Linux Enterprise Micro 5.2 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): python3-3.6.15-150300.10.48.1, python3-core-3.6.15-150300.10.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Matej Cepl 2023-06-28 15:51:09 UTC
Without answer to comment 35, everything else is done.
Comment 42 OBSbugzilla Bot 2023-06-28 19:45:03 UTC
This is an autogenerated message for OBS integration:
This bug (1203750) was mentioned in
https://build.opensuse.org/request/show/1095863 Factory / python310
Comment 43 OBSbugzilla Bot 2023-06-29 11:55:04 UTC
This is an autogenerated message for OBS integration:
This bug (1203750) was mentioned in
https://build.opensuse.org/request/show/1095964 Factory / python38
Comment 44 OBSbugzilla Bot 2023-06-30 22:55:02 UTC
This is an autogenerated message for OBS integration:
This bug (1203750) was mentioned in
https://build.opensuse.org/request/show/1096213 Factory / python39
Comment 45 OBSbugzilla Bot 2023-07-03 12:15:02 UTC
This is an autogenerated message for OBS integration:
This bug (1203750) was mentioned in
https://build.opensuse.org/request/show/1096536 Factory / python311
Comment 47 Maintenance Automation 2023-07-04 16:30:51 UTC
SUSE-SU-2023:2778-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1203750
CVE References: CVE-2007-4559
Sources used:
Python 3 Module 15-SP4 (src): python311-3.11.3-150400.9.12.1, python311-core-3.11.3-150400.9.12.1, python311-documentation-3.11.3-150400.9.12.1
Python 3 Module 15-SP5 (src): python311-3.11.3-150400.9.12.1, python311-core-3.11.3-150400.9.12.1, python311-documentation-3.11.3-150400.9.12.1
openSUSE Leap 15.4 (src): python311-3.11.3-150400.9.12.1, python311-core-3.11.3-150400.9.12.1, python311-documentation-3.11.3-150400.9.12.1
openSUSE Leap 15.5 (src): python311-3.11.3-150400.9.12.1, python311-core-3.11.3-150400.9.12.1, python311-documentation-3.11.3-150400.9.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 49 Maintenance Automation 2023-07-19 16:30:18 UTC
SUSE-SU-2023:2884-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1203750, 1208471, 1211765
CVE References: CVE-2007-4559, CVE-2023-24329
Sources used:
openSUSE Leap 15.5 (src): python310-3.10.12-150400.4.30.1, python310-documentation-3.10.12-150400.4.30.1, python310-core-3.10.12-150400.4.30.1
Python 3 Module 15-SP4 (src): python310-3.10.12-150400.4.30.1, python310-core-3.10.12-150400.4.30.1
openSUSE Leap 15.4 (src): python310-3.10.12-150400.4.30.1, python310-documentation-3.10.12-150400.4.30.1, python310-core-3.10.12-150400.4.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 50 Maintenance Automation 2023-07-25 08:50:00 UTC
SUSE-SU-2023:2957-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1203750, 1208471
CVE References: CVE-2007-4559, CVE-2023-24329
Sources used:
openSUSE Leap 15.4 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1, python39-documentation-3.9.17-150300.4.30.1
openSUSE Leap 15.5 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1, python39-documentation-3.9.17-150300.4.30.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1
SUSE Linux Enterprise Real Time 15 SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1
SUSE Manager Proxy 4.2 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1
SUSE Manager Retail Branch Server 4.2 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1
SUSE Manager Server 4.2 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1
SUSE Enterprise Storage 7.1 (src): python39-core-3.9.17-150300.4.30.1, python39-3.9.17-150300.4.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 57 Marcus Meissner 2023-11-27 15:10:56 UTC
done
Comment 58 Marcus Meissner 2023-12-14 17:04:32 UTC
We currently do not plan to fix this for python 2.

Background is that the patch is huge and risky to introduce regressions, also the python team is in a mixed state of where this should be fixed and up to now considered this fix to be in callers of the module.
Comment 59 Maintenance Automation 2024-02-27 11:59:47 UTC
SUSE-SU-2023:2641-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1203750, 1211158
CVE References: CVE-2007-4559
Sources used:
openSUSE Leap 15.3 (src): python39-core-3.9.16-150300.4.27.1, python39-3.9.16-150300.4.27.1, python39-documentation-3.9.16-150300.4.27.1
openSUSE Leap 15.4 (src): python39-core-3.9.16-150300.4.27.1, python39-3.9.16-150300.4.27.1, python39-documentation-3.9.16-150300.4.27.1
openSUSE Leap 15.5 (src): python39-core-3.9.16-150300.4.27.1, python39-3.9.16-150300.4.27.1, python39-documentation-3.9.16-150300.4.27.1
SUSE Linux Enterprise Real Time 15 SP3 (src): python39-core-3.9.16-150300.4.27.1, python39-3.9.16-150300.4.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 60 Maintenance Automation 2024-02-27 12:30:27 UTC
SUSE-SU-2023:2937-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1203750, 1208471
CVE References: CVE-2007-4559, CVE-2023-24329
Sources used:
openSUSE Leap 15.4 (src): python311-3.11.4-150400.9.15.1, python311-documentation-3.11.4-150400.9.15.2, python311-core-3.11.4-150400.9.15.3
openSUSE Leap 15.5 (src): python311-3.11.4-150400.9.15.1, python311-documentation-3.11.4-150400.9.15.2, python311-core-3.11.4-150400.9.15.3
Python 3 Module 15-SP4 (src): python311-3.11.4-150400.9.15.1, python311-documentation-3.11.4-150400.9.15.2, python311-core-3.11.4-150400.9.15.3
Python 3 Module 15-SP5 (src): python311-3.11.4-150400.9.15.1, python311-documentation-3.11.4-150400.9.15.2, python311-core-3.11.4-150400.9.15.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.