[dev][security-sig] Revisiting tarfile, or "What's old is new again"
The tarfile module from Python's standard library is in the news this week, with people publicly exploiting the very long-standing CVE-2007-4559[0] (yes, you read that correctly, *2007*). Some old-timers in the community might remember this from such popular hits as OSSA-2011-001: Path traversal issues registering malicious images using EC2 API[1], our very first OpenStack Security Advisory!
This revived interest in unsafe use of tarfile methods will undoubtedly have lots of people scanning OpenStack's Git repos looking for potentially exploitable calls. Indeed, some of our own community members are already auditing the collective codebase to make sure new vulnerabilities haven't sneaked in over the 11 years since this first came up for us, but more help is always welcome.
I encourage anyone using tarfile in their projects to double-check you're doing so safely[2]. If you rely bandit to check your source code, be advised that the most recent 1.7.4 release doesn't catch this but you can install its main branch[3] instead which does include a check for it, at least until they tag a new release (which I have a feeling they'll do quite soon given the recent furor around this topic).
On a related note, I want to take this opportunity to remind everyone that OpenStack has a Security Special Interest Group (SIG), which meets monthly[4] on IRC, and members will also be in attendance at the upcoming virtual PTG[5] in case anyone is interested in discussing this or similar subject matter. Our PTG slot is currently booked for 15:00 UTC Wednesday (2022-10-19), though we can adjust or book an additional hour at another time if this conflicts with any tracks people also need to join, just let me know.
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559 [1] https://security.openstack.org/ossa/OSSA-2011-001.html [2] https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall [3] https://github.com/pycqa/bandit [4] https://meetings.opendev.org/#OpenStack_Security_SIG_meeting [5] https://ptg.opendev.org/ptg.html
I encourage anyone using tarfile in their projects to double-check you're doing so safely[2].
I looked at Nova and Glance this morning and I think we're good. The only use in nova is in the vmwareapi driver, which does use tarfile to pull out a vmdk file, but it does so in memory and streams it direct to vmfs without extracting it to the local disk. Glance's only use is in the ova processing, which extracts the ovf and disk image from the tarfile, but it processes the ovf in memory and then streams the disk image to a uuid-based-name file on disk.
So I think those are okay at least, although I'm happy for others to check my work of course.
--Dan
participants (2)
-
Dan Smith
-
Jeremy Stanley