CVE-2007-4559 Patch

[TrellixVulnTeam]

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

[repokitteh-read-only]

Hi @TrellixVulnTeam, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #23530 was opened by TrellixVulnTeam.

see: more, trace.

[phlax]

we should probably address this - altho this PR is only catching a fraction of our tarfile use and the code is repetitive - im also wondering if this is not something that should be dealt with in the python module itself

[phlax]

checking further - its a bug from 2007 - which was not deemed a security issue by python, and consequently distributors (afaict) - seemingly as it is just POSIX compliance

various solutions (similar to the one here) were discussed but in the end the only change was to docs regarding tars from untrusted sources

in this case the source of the tars would either be the users own machine or RBE so im not sure we are dealing with untrusted sources here (that may not be the case with all untarring)

that said - i can add look at adding some safe_extract type functionality that we could use across the tooling for additional confidence

[phlax]

i will follow up on this as time allows, but will leave it open for now so its not forgotten

/wait

[phlax]

cc @Sim4n6

it would be good to address this for peace of mind and to prevent others from being concerned about it

we host most of our python tooling in https://github.com/envoyproxy/pytooling so that is probably the best place to address this, and has other instances of "unsafe" extraction that should be looked at

[Sim4n6]

I'm not affiliated in any way with the reporting team.

[Sim4n6]

But I will make a look, thanks

[Sim4n6]

Hi @phlax,
There are a couple of unsafe tarball extractions in envoyproxy/pytooling repository but of a low impact and they are not covered by the in-scope bounty of https://lyft.github.io.
My initial report on H1 for the product envoyproxy/envoy was downgraded from high to low to informative. So no monetary reward for sure...

I don't see any reason for keeping this as a pending task, (on my side). Thank you.

[adisuissa]

@phlax should this PR be closed for now?

[phlax]

yeah lets close it - ive opened a ticket in toolshed to track/flag the issue envoyproxy/toolshed#1270