oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: path traversal in tar extract in intel cve-bin-tool

From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 20 Jun 2025 15:50:51 +0200
This is the committed fix:
https://github.com/intel/cve-bin-tool/commit/b4feb03f19acecc1

The fix is twofold:
1) If tarfile extraction filters are available (initially added in Python 3.12, but also backported to 3.11.4, 3.10.12, 3.9.17 and 3.8.17) in the standard library, the code makes use of that. 

2) Otherwise, it tries to sanitize tar files on its own, like this:

    for tarmember in members:
        if tarmember.isfile() and str(
            Path(extraction_path, tarmember.name).resolve()
        ).startsWith(extraction_path):
            yield tarmember
This cleverly sidesteps path traversal by not extracting anything at all, because... 

    AttributeError: 'str' object has no attribute 'startsWith'. Did you mean: 'startswith'?
But the custom filter wouldn't be sound even with the typo fixed, because str.startswith() and Path.resolve() are wrong tools for the job.
Anyway, I suspect that cve-bin-tool's extractors for other file formats are still vulnerable to path traversal, so I wouldn't recommend running it against untrusted files. 

--
Jakub Wilk
Previous By Date Next
Previous By Thread Next

Current thread: