Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2007-4559 patch when building on Windows #6704

Merged
merged 4 commits into from Nov 8, 2022

Conversation

nulano
Copy link
Contributor

@nulano nulano commented Oct 31, 2022

Originally submitted in nulano/pypy_ext#2 by @TrellixVulnTeam:

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

I've simplified the changes and applied them to zip files also.

I'm not sure how important this is here, but it probably can't hurt to add.

winbuild/build_prepare.py Outdated Show resolved Hide resolved
winbuild/build_prepare.py Outdated Show resolved Hide resolved
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
winbuild/build_prepare.py Outdated Show resolved Hide resolved
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
@radarhere radarhere merged commit 13dee16 into python-pillow:main Nov 8, 2022
@radarhere radarhere changed the title CVE-2007-4559 patch in winbuild CVE-2007-4559 patch when building on Windows Nov 8, 2022
@nulano nulano deleted the cve-2007-4559 branch November 8, 2022 03:30
@hugovk
Copy link
Member

hugovk commented Nov 8, 2022

Probably fine in this case, but a gentle reminder that security things should usually be reported following the policy:

https://github.com/python-pillow/Pillow/security/policy

Thanks for the fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants