CVE-2007-4559

Publication date 28 August 2007

Last updated 24 July 2024


Ubuntu priority

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Read the notes from the security team

Status

Package Ubuntu Release Status
python2.3 9.10 karmic Not in release
9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Ignored end of life
python2.4 9.10 karmic Ignored
9.04 jaunty Ignored
8.10 intrepid Ignored
8.04 LTS hardy Ignored
6.06 LTS dapper Ignored
python2.5 9.10 karmic Ignored
9.04 jaunty Ignored
8.10 intrepid Ignored
8.04 LTS hardy Ignored
6.06 LTS dapper Not in release
python2.6 9.10 karmic Ignored
9.04 jaunty Ignored
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release
python2.7 23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy Ignored
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored
python3.0 9.10 karmic Ignored
9.04 jaunty Ignored
8.10 intrepid Ignored
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release
python3.1 9.10 karmic Ignored
9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release
python3.10 23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy
Fixed 3.10.12-1~22.04.2
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
python3.11 23.10 mantic
Not affected
23.04 lunar
Fixed 3.11.4-1~23.04
22.04 LTS jammy Ignored
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
python3.12 23.10 mantic
Not affected
23.04 lunar Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
python3.4 23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty Ignored
python3.5 23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored
python3.6 23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Ignored
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
python3.7 23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Ignored end of standard support
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
python3.8 23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Ignored
18.04 LTS bionic Ignored end of standard support
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
python3.9 23.10 mantic Not in release
23.04 lunar Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Ignored
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release

Notes


mdeslaur

Upstream python eventually decided to fix this by adding an additional option to the affected functions to specify adding a filter. See PEP 706. While this does not change the default behaviour, applications modified to use the filter can now safely extract untrusted tar files. Due to the default not changing, we will not be fixing this issue in older Python releases, marking as ignored.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
python3.10
python3.11
python3.8
python3.9