CVE-2007-4559
Published: 28 August 2007
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Notes
| Author | Note |
|---|---|
| mdeslaur | Upstream python eventually decided to fix this by adding an additional option to the affected functions to specify adding a filter. See PEP 706. While this does not change the default behaviour, applications modified to use the filter can now safely extract untrusted tar files. Due to the default not changing, we will not be fixing this issue in older Python releases, marking as ignored. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python2.3 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Does not exist
|
|
| upstream |
Ignored
|
|
|
python2.4 Launchpad, Ubuntu, Debian |
dapper |
Ignored
|
| hardy |
Ignored
|
|
| intrepid |
Ignored
|
|
| jaunty |
Ignored
|
|
| karmic |
Ignored
|
|
| upstream |
Ignored
|
|
|
python2.5 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Ignored
|
|
| intrepid |
Ignored
|
|
| jaunty |
Ignored
|
|
| karmic |
Ignored
|
|
| upstream |
Ignored
|
|
|
python2.6 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Ignored
|
|
| karmic |
Ignored
|
|
| upstream |
Ignored
|
|
|
python2.7 Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| focal |
Ignored
|
|
| jammy |
Ignored
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
|
|
|
python3.0 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Ignored
|
|
| jaunty |
Ignored
|
|
| karmic |
Ignored
|
|
| upstream |
Ignored
|
|
|
python3.1 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Ignored
|
|
| upstream |
Ignored
|
|
|
python3.10 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Released
(3.10.12-1~22.04.2)
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.10.12)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/pull/104128 |
||
|
python3.11 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Ignored
|
|
| lunar |
Released
(3.11.4-1~23.04)
|
|
| mantic |
Not vulnerable
(3.11.6-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.11.4)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/pull/103832 |
||
|
python3.12 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.12.0)
|
|
| xenial |
Does not exist
|
|
|
python3.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of standard support)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of standard support)
|
| focal |
Ignored
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.8.17)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/pull/104548 |
||
|
python3.9 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Ignored
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.9.17)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/pull/104382 |
||