[dev][security-sig] Revisiting tarfile, or "What's old is new again"

Jeremy Stanley fungi at yuggoth.org
Thu Sep 22 15:55:20 UTC 2022 

The tarfile module from Python's standard library is in the news
this week, with people publicly exploiting the very long-standing
CVE-2007-4559[0] (yes, you read that correctly, *2007*). Some
old-timers in the community might remember this from such popular
hits as OSSA-2011-001: Path traversal issues registering malicious
images using EC2 API[1], our very first OpenStack Security Advisory!

This revived interest in unsafe use of tarfile methods will
undoubtedly have lots of people scanning OpenStack's Git repos
looking for potentially exploitable calls. Indeed, some of our own
community members are already auditing the collective codebase to
make sure new vulnerabilities haven't sneaked in over the 11 years
since this first came up for us, but more help is always welcome.

I encourage anyone using tarfile in their projects to double-check
you're doing so safely[2]. If you rely bandit to check your source
code, be advised that the most recent 1.7.4 release doesn't catch
this but you can install its main branch[3] instead which does
include a check for it, at least until they tag a new release (which
I have a feeling they'll do quite soon given the recent furor around
this topic).

On a related note, I want to take this opportunity to remind
everyone that OpenStack has a Security Special Interest Group (SIG),
which meets monthly[4] on IRC, and members will also be in
attendance at the upcoming virtual PTG[5] in case anyone is
interested in discussing this or similar subject matter. Our PTG
slot is currently booked for 15:00 UTC Wednesday (2022-10-19),
though we can adjust or book an additional hour at another time if
this conflicts with any tracks people also need to join, just let me
know.

[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559
[1] https://security.openstack.org/ossa/OSSA-2011-001.html
[2] https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall
[3] https://github.com/pycqa/bandit
[4] https://meetings.opendev.org/#OpenStack_Security_SIG_meeting
[5] https://ptg.opendev.org/ptg.html
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220922/7577a619/attachment.sig>

More information about the openstack-discuss mailing list