Skip to content

CVE-2007-4559 Patch#1984

Merged
wanghan-iapcm merged 1 commit into
deepmodeling:develfrom
TrellixVulnTeam:master
Oct 12, 2022
Merged

CVE-2007-4559 Patch#1984
wanghan-iapcm merged 1 commit into
deepmodeling:develfrom
TrellixVulnTeam:master

Conversation

@TrellixVulnTeam

Copy link
Copy Markdown
Contributor

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

@njzjz njzjz changed the base branch from master to devel October 11, 2022 21:56
@wanghan-iapcm wanghan-iapcm merged commit 330608a into deepmodeling:devel Oct 12, 2022
mingzhong15 pushed a commit to mingzhong15/deepmd-kit that referenced this pull request Jan 15, 2023
# Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at
[Trellix](https://www.trellix.com). We have began a campaign to patch a
widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug
in the Python tarfile package. By using extract() or extractall() on a
tarfile object without sanitizing input, a maliciously crafted .tar file
could perform a directory path traversal attack. We found at least one
unsantized extractall() in your codebase and are providing a patch for
you via pull request. The patch essentially checks to see if all tarfile
members will be extracted safely and throws an exception otherwise. We
encourage you to use this patch or your own solution to secure against
CVE-2007-4559. Further technical information about the vulnerability can
be found in this
[blog](https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html).

If you have further questions you may contact us through this projects
lead researcher [Kasimir Schulz](mailto:kasimir.schulz@trellix.com).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants