Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250620135051.xkt6yzanpy67jeqe@jwilk.net>
Date: Fri, 20 Jun 2025 15:50:51 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: path traversal in tar extract in intel
 cve-bin-tool

This is the committed fix:
https://github.com/intel/cve-bin-tool/commit/b4feb03f19acecc1

The fix is twofold:

1) If tarfile extraction filters are available (initially added in 
Python 3.12, but also backported to 3.11.4, 3.10.12, 3.9.17 and 3.8.17) 
in the standard library, the code makes use of that.

2) Otherwise, it tries to sanitize tar files on its own, like this:

     for tarmember in members:
         if tarmember.isfile() and str(
             Path(extraction_path, tarmember.name).resolve()
         ).startsWith(extraction_path):
             yield tarmember

This cleverly sidesteps path traversal by not extracting anything at 
all, because...

     AttributeError: 'str' object has no attribute 'startsWith'. Did you mean: 'startswith'?

But the custom filter wouldn't be sound even with the typo fixed, 
because str.startswith() and Path.resolve() are wrong tools for the job.


Anyway, I suspect that cve-bin-tool's extractors for other file formats 
are still vulnerable to path traversal, so I wouldn't recommend running 
it against untrusted files.

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.