Bug 15390 - Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation)
Summary: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 miti...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-07 09:01 UTC by Andreas Schneider
Modified: 2023-09-12 23:43 UTC (History)
5 users (show)

See Also:

Attachments
patch for 4.18 (9.61 KB, patch)
2023-06-15 07:47 UTC, Andreas Schneider 		dbagnall: review+
Details
backport for 4.18 (1.68 KB, patch)
2023-07-21 14:49 UTC, Noel Power 		abartlet: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2023-06-07 09:01:43 UTC 
Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way. Unfortunately, for the CVE to be considered fixed, this needs a behavior change.

For more details see upstream PEP 706: https://peps.python.org/pep-0706
Comment 1 Samba QA Contact 2023-06-14 23:56:06 UTC 
This bug was referenced in samba master:

ebaa00816259cbae5c45ebf0ba5fb260b09e4695
8c90c66a9a409d807dad56822540509c9813425b
431f7698e48387413aac586c7a939a1682464681
1f74f9f366d7f107a89220a4a5951bc4daf18025
Comment 2 Andreas Schneider 2023-06-15 07:47:18 UTC 
Created attachment 17922 [details]
patch for 4.18
Comment 3 Douglas Bagnall 2023-06-15 19:39:08 UTC 
ready for 4.18.
Comment 4 Jule Anger 2023-06-16 11:59:02 UTC 
Pushed to autobuild-v4-18-test.
Comment 5 Samba QA Contact 2023-06-19 10:30:08 UTC 
This bug was referenced in samba v4-18-test:

4a79ee44c311f1a78de9fc9d2b8bc73fb4987719
eff4e88d2cc01d60a8ad03108f0d5691bde0e976
b7cad429a52857ac8a1d1685c732f4c746e7c339
a6edfaa498552dcef704bda0c6fcb7b14c88bdcc
Comment 6 Jule Anger 2023-06-19 11:36:26 UTC 
Closing out bug report.

Thanks!
Comment 7 Samba QA Contact 2023-07-05 11:34:55 UTC 
This bug was referenced in samba v4-18-stable (Release samba-4.18.4):

4a79ee44c311f1a78de9fc9d2b8bc73fb4987719
eff4e88d2cc01d60a8ad03108f0d5691bde0e976
b7cad429a52857ac8a1d1685c732f4c746e7c339
a6edfaa498552dcef704bda0c6fcb7b14c88bdcc
Comment 8 Samba QA Contact 2023-07-21 02:20:07 UTC 
This bug was referenced in samba master:

e401ae44b2f952fc2686065fbfb3a563e3d4066a
Comment 9 Andrew Bartlett 2023-07-21 04:21:02 UTC 
Re-opend due to regressions.
Comment 10 Noel Power 2023-07-21 14:49:21 UTC 
Created attachment 17992 [details]
backport for 4.18
Comment 11 Andrew Bartlett 2023-07-21 19:57:26 UTC 
Re-assigning to Jule to have the regression fix get into the next 4.18 release.
Comment 12 Jule Anger 2023-07-24 08:54:55 UTC 
Pushed to autobuild-v4-18-test.
Comment 13 Samba QA Contact 2023-07-24 10:20:04 UTC 
This bug was referenced in samba v4-18-test:

14ce7756e7a5403144126f55be1f7022374c64ea
Comment 14 Jule Anger 2023-07-24 12:03:09 UTC 
Closing out bug report.

Thanks!
Comment 15 Samba QA Contact 2023-07-28 12:14:11 UTC 
This bug was referenced in samba v4-19-test:

e401ae44b2f952fc2686065fbfb3a563e3d4066a
Comment 16 Samba QA Contact 2023-07-28 12:17:57 UTC 
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1):

e401ae44b2f952fc2686065fbfb3a563e3d4066a
Comment 17 Samba QA Contact 2023-08-16 16:57:45 UTC 
This bug was referenced in samba v4-18-stable (Release samba-4.18.6):

14ce7756e7a5403144126f55be1f7022374c64ea