Описание
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python2.3 | removed | package | ||
| python2.4 | unfixed | package | ||
| python2.5 | unfixed | package |
Примечания
According to upstream this is the intended behaviour for the module.
Since this is a library interface to embed Tar functionality into applications
it is in order to not provide the full security safety belts one might
expect from an enduser application like tar(1). Plus, addressing this would
mean to diverge from upstream permanently and could break the behaviour
of external apps. Anyone who wants to see this "fixed" should rather file
a PEP on an improved tar interface with additional security guarantees
provided by design.
https://github.com/python/cpython/issues/45385
EPSS
Связанные уязвимости
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
EPSS