raptor Aug 9, 2025

Another fresh #Python #tarfile #vulnerability

Python TarFile.extractall(..., filter='tar') arbitrary file chmod

https://github.com/python/cpython/issues/127987

TarFile.extractall(..., filter='tar') arbitrary file chmod · Issue #127987 · python/cpython

TarFile.extractall() can be tricked into chmodding arbitrary file (outside of the destination directory) to 0755, despite using filter='tar': $ target=$(mktemp) $ defeatpep706 eggs.tar $target $ ls...

GitHub
raptor Aug 8, 2025

A couple other fun bugs 🐛

#Python - #Tarfile Realpath Overflow #Vulnerability
https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f

#Python #Tar Filter Bypass #Vulnerability
https://github.com/google/security-research/security/advisories/GHSA-7fj8-pjw2-r9vh

Python - Tarfile Realpath Overflow Vulnerability

### Summary Python's `TarFile.extractall()` and `TarFile.extract()` methods support a feature that allows a filter to be set to improve the safety of using these methods. Python's standard library...

GitHub
raptor Jun 21, 2025

#Python - #Tarfile Realpath Overflow #Vulnerability

https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f

Python - Tarfile Realpath Overflow Vulnerability

### Summary Python's `TarFile.extractall()` and `TarFile.extract()` methods support a feature that allows a filter to be set to improve the safety of using these methods. Python's standard library...

GitHub
Joaquim HomrighausenSep 23, 2022

That's not good, at all 🤔😑💩

"15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects" (CVE-2007-4559)

https://thehackernews.com/2022/09/15-year-old-unpatched-python.html

#devops #cybersec #cybersecurity #python #vulnerability #tarfile #security #bug #code #programming #programmer

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

A 15-year-old unpatched Python vulnerability potentially affects as many as 350,000 open source projects, leaving them vulnerable to code execution at

The Hacker News
DansLeRuSH ᴱᶰSep 22, 2022
« #Tarfile : Exploiting the World With a 15-Year-Old #Vulnerability » 🐍
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/tarfile-exploiting-the-world.html
#Python #Security #Flaw
Tarfile: Exploiting the World With a 15-Year-Old Vulnerability

Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. As we dug into the issue, we realized this was in fact CVE-2007-4559. The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive. Over the course of our research into the impact of this vulnerability we discovered that hundreds of thousands of repositories were vulnerable to this vulnerability. While the vulnerability was originally only marked as a 6.8, we were able to confirm that in most cases an attacker can gain code execution from the file write.

Tarnkappe.infoSep 22, 2022
📬 Python Sicherheitslücke betrifft mehr als 350.000 offene Projekte
#Hacking #Softwareentwicklung #github #KasimirSchulz #MachineLearning #OpenSourceProjekte #Python #tarfile #Trellix https://tarnkappe.info/softwareentwicklung/python-sicherheitsluecke-betrifft-mehr-als-350-000-offene-projekte-256203.html
Python Sicherheitslücke betrifft mehr als 350.000 offene Projekte

Mehr als 350.000 quelloffene Python-Projekte sind durch eine Sicherheitslücke gefährdet, die bereits seit 15 Jahren bekannt ist.

Tarnkappe.info
Dick Smiths Fair Go SupportersFeb 20, 2022

@obsolete29
Then there are #tarfile versions of some #softwares, which *can* be updated in-software, it depends on individual developers.

Unless folks check #PGPSignatures of #software that they get online though, we don't recommend #downloading software manually.

Hashtags for future searchers: #appImages #appImage #legit #legitSoftware #appUpdates #softwareUpdate #packageManager #updates #aptGet #flatPaks #PPA #PPAs #authenticity
@realsimon