Debian Bug report logs - #440097
CVE-2007-4559: directory traversal vulnerability in python tarfile module

Package: python2.4; Maintainer for python2.4 is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Wed, 29 Aug 2007 18:48:03 UTC

Severity: important

Tags: security, upstream

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Matthias Klose <doko@debian.org>:
Bug#440097; Package python2.4. (full text, mbox, link).

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2007-4559: directory traversal vulnerability in python tarfile module
Date: Wed, 29 Aug 2007 20:39:35 +0200
Package: python2.4
Version: 2.4.4-3
Severity: grave
Tags: security
Justification: user security hole

A vulnerability has been found in the  python tarfile module.
>From CVE-2007-4559:


"Directory traversal vulnerability in the (1) extract and (2) extractall
functions in the tarfile module in Python allows user-assisted remote attackers
to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR
archive, a related issue to CVE-2001-1267."

Please mention the CVE id in the changelog.

Bug 440097 cloned as bug 440099. Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Wed, 29 Aug 2007 19:00:04 GMT) (full text, mbox, link).

Tags added: upstream Request was from Filipus Klutiero <cheal@hotpop.com> to control@bugs.debian.org. (Thu, 30 Aug 2007 00:45:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#440097; Package python2.4. (full text, mbox, link).

Acknowledgement sent to Matthias Klose <doko@cs.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #14 received at 440097@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@cs.tu-berlin.de>
To: Stefan Fritsch <sf@sfritsch.de>, 440097@bugs.debian.org, 440099@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#440097: CVE-2007-4559: directory traversal vulnerability in python tarfile module
Date: Sat, 1 Sep 2007 19:34:01 +0200
tag 440097 - security
severity 440097 important
tag 440099 - security
severity 440099 important
thanks

upstream doesn't see this as a security issue; I don't mind mentioning
the CVE for a fix, once a patch is available in the upstream
repositories.

Stefan Fritsch writes:
> Package: python2.4
> Version: 2.4.4-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> A vulnerability has been found in the  python tarfile module.
> >From CVE-2007-4559:
> 
> 
> "Directory traversal vulnerability in the (1) extract and (2) extractall
> functions in the tarfile module in Python allows user-assisted remote attackers
> to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR
> archive, a related issue to CVE-2001-1267."
> 
> Please mention the CVE id in the changelog.

Tags removed: security Request was from Matthias Klose <doko@cs.tu-berlin.de> to control@bugs.debian.org. (Sat, 01 Sep 2007 17:36:04 GMT) (full text, mbox, link).

Severity set to `important' from `grave' Request was from Matthias Klose <doko@cs.tu-berlin.de> to control@bugs.debian.org. (Sat, 01 Sep 2007 17:36:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#440097; Package python2.4. (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #23 received at 440097@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 440099@bugs.debian.org, 440097@bugs.debian.org
Cc: sf@sfritsch.de, control@bugs.debian.org
Subject: Re: CVE-2007-4559: directory traversal vulnerability in python tarfile moduleCVE-2007-4559: directory traversal vulnerability in python tarfile module
Date: Thu, 11 Oct 2007 17:15:34 +0200
[Message part 1 (text/plain, inline)]
tags 440097 + security
tags 440099 + security
thanks

Hi Matthias,
After speaking with Kees Cook and Sean Finney in 
#debian-security we all agreed that this *is* indeed a 
security issue even if upstream does not agree here.
It is a valid argument that a user is supposed to extract a 
tar archive in a secure way. It is not the job of the user 
to take care of directory traversal logic via path names or  
symlinks with examining the tar archive first.
Thus readding the security tag.

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Tags added: security Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 11 Oct 2007 15:18:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#440097; Package python2.4. (full text, mbox, link).

Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #30 received at 440097@bugs.debian.org (full text, mbox, reply):

From: Loïc Minier <lool@dooz.org>
To: Nico Golde <nion@debian.org>, 440099@bugs.debian.org
Cc: 440097@bugs.debian.org, sf@sfritsch.de
Subject: Re: Bug#440099: CVE-2007-4559: directory traversal vulnerability in python tarfile moduleCVE-2007-4559: directory traversal vulnerability in python tarfile module
Date: Thu, 28 Aug 2008 13:41:36 +0200
On Thu, Aug 28, 2008, Loïc Minier wrote:
>  I'm not sure what to think here;  behavior with ../ and absolute
>  pathnames is documented behavior in the tarfile API.
> 
>  Another thing which is not strongly advertized is that if your tarball
>  has 0777 directories, extractall() will happily create 0777
>  directories.

 (Note that I discovered about this bug when I noticed that bzr
 build-deb would create 0777 directories when building hal.)

-- 
Loïc Minier

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#440097; Package python2.4. (full text, mbox, link).

Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #35 received at 440097@bugs.debian.org (full text, mbox, reply):

From: Loïc Minier <lool@dooz.org>
To: Nico Golde <nion@debian.org>, 440099@bugs.debian.org
Cc: 440097@bugs.debian.org, sf@sfritsch.de
Subject: Re: Bug#440099: CVE-2007-4559: directory traversal vulnerability in python tarfile moduleCVE-2007-4559: directory traversal vulnerability in python tarfile module
Date: Thu, 28 Aug 2008 13:40:58 +0200
On Thu, Oct 11, 2007, Nico Golde wrote:
> After speaking with Kees Cook and Sean Finney in 
> #debian-security we all agreed that this *is* indeed a 
> security issue even if upstream does not agree here.
> It is a valid argument that a user is supposed to extract a 
> tar archive in a secure way. It is not the job of the user 
> to take care of directory traversal logic via path names or  
> symlinks with examining the tar archive first.
> Thus readding the security tag.

 I'm not sure what to think here;  behavior with ../ and absolute
 pathnames is documented behavior in the tarfile API.

 Another thing which is not strongly advertized is that if your tarball
 has 0777 directories, extractall() will happily create 0777
 directories.

 (Try with the hal tarball for instance.)

 Note that "tar" will do the same if you run it as root!!

-- 
Loïc Minier

Bug reassigned from package 'python2.4' to 'python'. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Mon, 09 Apr 2012 14:10:54 GMT) (full text, mbox, link).

No longer marked as found in versions python2.4/2.4.4-3. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Mon, 09 Apr 2012 14:10:55 GMT) (full text, mbox, link).

Bug reassigned from package 'python' to 'python2.7'. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Mon, 09 Apr 2012 14:33:15 GMT) (full text, mbox, link).

Bug reassigned from package 'python2.7' to 'python2.4'. Request was from Matthias Klose <doko@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2012 08:30:31 GMT) (full text, mbox, link).

Marked Bug as done Request was from Matthias Klose <doko@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2012 10:27:04 GMT) (full text, mbox, link).

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. (Sat, 14 Apr 2012 10:27:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 May 2012 07:52:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Aug 23 09:26:39 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.