Skip to content

CVE-2007-4559 patch when building on Windows #6704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
radarhere merged 4 commits into from
Nov 8, 2022
Merged

CVE-2007-4559 patch when building on Windows #6704

radarhere merged 4 commits into from
Nov 8, 2022

Conversation

@nulano
Copy link
Contributor

@nulano nulano commented Oct 31, 2022

Originally submitted in nulano/pypy_ext#2 by @TrellixVulnTeam:

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

I've simplified the changes and applied them to zip files also.

I'm not sure how important this is here, but it probably can't hurt to add.

radarhere
radarhere reviewed Nov 3, 2022
View reviewed changes
radarhere
radarhere reviewed Nov 3, 2022
View reviewed changes
radarhere
radarhere reviewed Nov 4, 2022
View reviewed changes
@nulano @radarhere
simplify code
8947cbf 
Co-authored-by: Andrew Murray <[email protected]>
@radarhere radarhere merged commit 13dee16 into python-pillow:main Nov 8, 2022
@radarhere radarhere changed the title CVE-2007-4559 patch in winbuild CVE-2007-4559 patch when building on Windows Nov 8, 2022
@nulano nulano deleted the cve-2007-4559 branch November 8, 2022 03:30
@hugovk
Copy link
Member

hugovk commented Nov 8, 2022

Probably fine in this case, but a gentle reminder that security things should usually be reported following the policy:

https://github.com/python-pillow/Pillow/security/policy

Thanks for the fix!

@skupr-anaconda skupr-anaconda mentioned this pull request Feb 23, 2023
Merged
12 tasks
@aclark4life aclark4life mentioned this pull request Mar 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radarhere radarhere radarhere approved these changes

+1 more reviewer

@Yay295 Yay295 Yay295 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nulano @hugovk @radarhere @Yay295 @TrellixVulnTeam