Skip to content

[microTVM] Mitigate security vulnerability CVE-2007-4559 #13751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuchenJin wants to merge 3 commits into from
Closed

[microTVM] Mitigate security vulnerability CVE-2007-4559 #13751

YuchenJin wants to merge 3 commits into from

Conversation

@YuchenJin
Copy link
Contributor

@YuchenJin YuchenJin commented Jan 10, 2023
edited by gromero
Loading

Borrowed from tlc-pack/relax#335. The original author is @TrellixVulnTeam from the Advanced Research Center at Trellix.

This PR patches the security vulnerability CVE-2007-4559 in the Arduino and Zephyr Project API servers. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar Model Library Format file could perform a directory path traversal attack, silently overwriting files outside the target project target dir when creating new projects, for instance. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. Further technical information about the vulnerability can be found in this blog.

Co-authored-by: TrellixVulnTeam kasimir.schulz@trellix.com

@tvm-bot
Copy link
Collaborator

tvm-bot commented Jan 10, 2023

Thanks for contributing to TVM! Please refer to the contributing guidelines https://tvm.apache.org/docs/contribute/ for useful information and tips. Please request code reviews from Reviewers by @-ing them in a comment.

Generated by tvm-bot

@YuchenJin YuchenJin mentioned this pull request Jan 10, 2023
Closed
gromero
gromero requested changes Jan 10, 2023
View reviewed changes
Copy link
Contributor

@gromero gromero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@YuchenJin Hi. Thanks a lot for the patch! I've left some comments inline, but otherwise LGTM.
The CI errors are trivial to fix, just remove the period after the PR title and commit title when sending the PR again.

@gromero gromero changed the title [microTVM] CVE-2007-4559 patch. [microTVM] Fix security vulnerability CVE-2007-4559 Jan 10, 2023
@gromero
Copy link
Contributor

gromero commented Jan 10, 2023

@YuchenJin I've tweaked a bit the PR description to tell give more context on how this CVE could affect the microTVM specifically.

@gromero
Copy link
Contributor

gromero commented Jan 10, 2023

cc @guberti since it also touches Arduino and also because tvm-bot didn't tag him :-)

@gromero
Copy link
Contributor

gromero commented Jan 26, 2023

@YuchenJin Friendly ping :-)

guberti
guberti reviewed Jan 26, 2023
View reviewed changes
Copy link
Member

@guberti guberti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @gromero's comments - other than that, LGTM.

@YuchenJin
Copy link
Contributor Author

YuchenJin commented Jan 29, 2023

Thank you @gromero @guberti for the reviews and suggestions, updated accordingly.

@gromero
Copy link
Contributor

gromero commented Jan 31, 2023

@tvm-bot rerun

@github-actions
Copy link
Contributor

github-actions bot commented Jan 31, 2023

Failed to re-run CI in https://github.com/apache/tvm/actions/runs/4055383350

Details 
Traceback (most recent call last):
  File "ci/scripts/github/github_tvmbot.py", line 594, in comment_failure
    raise item
  File "ci/scripts/github/github_tvmbot.py", line 700, in run
    pr.rerun_jenkins_ci()
  File "ci/scripts/github/github_tvmbot.py", line 553, in rerun_jenkins_ci
    post(url, auth=("tvm-bot", TVM_BOT_JENKINS_TOKEN))
  File "/home/runner/work/tvm/tvm/ci/scripts/jenkins/git_utils.py", line 53, in post
    with request.urlopen(req, data) as response:
  File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.8/urllib/request.py", line 531, in open
    response = meth(req, response)
  File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 569, in error
    return self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 500: Server Error

with response


  
  <!DOCTYPE html><html><head resURL="/static/e3b9d568" data-rooturl="" data-resurl="/static/e3b9d568" data-extensions-available="true" data-unit-test="false" data-imagesurl="/static/e3b9d568/images" data-crumb-header="Jenkins-Crumb" data-crumb-value="0671aa7ca3075fc14b6e56e7761a99f72ac8f2a0594569072db6b26c6576dd1cb2970366ed9bed7be9f0419888b56fbb7a84d1a97e257588c2ac54a92e4f9dbb">
    
    

    <title>Jenkins [Jenkins]</title><link rel="stylesheet" href="/static/e3b9d568/jsbundles/styles.css" type="text/css"><link rel="stylesheet" href="/static/e3b9d568/css/responsive-grid.css" type="text/css"><link rel="shortcut icon" href="/static/e3b9d568/favicon.ico" type="image/vnd.microsoft.icon"><script src="/static/e3b9d568/scripts/prototype.js" type="text/javascript"></script><script src="/static/e3b9d568/scripts/behavior.js" type="text/javascript"></script><script src='/adjuncts/e3b9d568/org/kohsuke/stapler/bind.js' type='text/javascript'></script><script src="/static/e3b9d568/scripts/yui/yahoo/yahoo-min.js"></script><script src="/static/e3b9d568/scripts/yui/dom/dom-min.js"></script><script src="/static/e3b9d568/scripts/yui/event/event-min.js"></script><script src="/static/e3b9d568/scripts/yui/animation/animation-min.js"></script><script src="/static/e3b9d568/scripts/yui/dragdrop/dragdrop-min.js"></script><script src="/static/e3b9d568/scripts/yui/container/container-min.js"></script><script src="/static/e3b9d568/scripts/yui/connection/connection-min.js"></script><script src="/static/e3b9d568/scripts/yui/datasource/datasource-min.js"></script><script src="/static/e3b9d568/scripts/yui/autocomplete/autocomplete-min.js"></script><script src="/static/e3b9d568/scripts/yui/menu/menu-min.js"></script><script src="/static/e3b9d568/scripts/yui/element/element-min.js"></script><script src="/static/e3b9d568/scripts/yui/button/button-min.js"></script><script src="/static/e3b9d568/scripts/yui/storage/storage-min.js"></script><script src="/static/e3b9d568/scripts/hudson-behavior.js" type="text/javascript"></script><script src="/static/e3b9d568/scripts/sortable.js" type="text/javascript"></script><link rel="stylesheet" href="/static/e3b9d568/scripts/yui/container/assets/container.css" type="text/css"><link rel="stylesheet" href="/static/e3b9d568/scripts/yui/container/assets/skins/sam/container.css" type="text/css"><link rel="stylesheet" href="/static/e3b9d568/scripts/yui/menu/assets/skins/sam/menu.css" type="text/css"><link rel="search" href="/opensearch.xml" type="application/opensearchdescription+xml" title="Jenkins"><meta name="ROBOTS" content="INDEX,NOFOLLOW"><meta name="viewport" content="width=device-width, initial-scale=1"><script src="/static/e3b9d568/jsbundles/vendors.js" type="text/javascript"></script><script src="/static/e3b9d568/jsbundles/page-init.js" type="text/javascript"></script><script src="/static/e3b9d568/jsbundles/sortable-drag-drop.js" type="text/javascript"></script></head><body data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam one-column jenkins-2.361.2" data-version="2.361.2"><a href="#skip2content" class="skiplink">Skip to content</a><header id="page-header" class="page-header"><div class="page-header__brand"><div class="logo"><a id="jenkins-home-link" href="/"><img src="/static/e3b9d568/images/svgs/logo.svg" alt="[Jenkins]" id="jenkins-head-icon"><img src="/static/e3b9d568/images/title.svg" alt="Jenkins" width="139" id="jenkins-name-icon" height="34"></a></div><a href="/" class="page-header__brand-link"><img src="/static/e3b9d568/images/svgs/logo.svg" alt="[Jenkins]" class="page-header__brand-image"><span class="page-header__brand-name">Jenkins</span></a></div><div class="searchbox hidden-xs"><form role="search" method="get" name="search" action="/search/" style="position:relative;" class="no-json"><div id="search-box-sizer"></div><div id="searchform"><input role="searchbox" name="q" placeholder="Search" id="search-box" class="main-search__input"><span class="main-search__icon-leading"><svg class="" class="" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" class="" viewBox="0 0 512 512"><title></title><path d="M221.09 64a157.09 157.09 0 10157.09 157.09A157.1 157.1 0 00221.09 64z" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="32"/><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="32" d="M338.29 338.29L448 448"/></svg></span><a href="https://www.jenkins.io/redirect/search-box" class="main-search__icon-trailing"><svg class="" class="" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M256 40a216 216 0 10216 216A216 216 0 00256 40z" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="38"/><path d="M200 202.29s.84-17.5 19.57-32.57C230.68 160.77 244 158.18 256 158c10.93-.14 20.69 1.67 26.53 4.45 10 4.76 29.47 16.38 29.47 41.09 0 26-17 37.81-36.37 50.8S251 281.43 251 296" fill="none" stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="38"/><circle cx="250" cy="360" r="25" fill="currentColor"/></svg></a><div id="search-box-completion" data-search-url="/search/"></div><script src='/adjuncts/e3b9d568/jenkins/views/JenkinsHeader/search-box.js' type='text/javascript'></script></div></form></div><div class="login page-header__hyperlinks"><div id="visible-am-insertion" class="page-header__am-wrapper"></div><div id="visible-sec-am-insertion" class="page-header__am-wrapper"></div><a href="/securityRealm/commenceLogin?from=%2Fjob%2Ftvm-minimal-cross-isa%2Fjob%2FPR-13751%2FbuildWithParameters"><b>log in</b></a></div></header><script src="/static/e3b9d568/jsbundles/keyboard-shortcuts.js" type="text/javascript"></script><div id="breadcrumbBar"><script src='/adjuncts/e3b9d568/lib/layout/breadcrumbs.js' type='text/javascript'></script><div class="top-sticker noedge"><div class="top-sticker-inner"><div class="jenkins-breadcrumbs"><ul id="breadcrumbs"><li class="item"><a href="/" class="model-link">Dashboard</a></li><li href="/" class="children"></li></ul><div id="breadcrumb-menu-target"></div></div></div></div></div><div id="page-body" class="clear"><div id="main-panel"><a name="skip2content"></a><h1 style="text-align: center"><img src="/static/e3b9d568/images/rage.svg" width="154" height="179"><span style="font-size:50px"> Oops!</span></h1><div id="error-description"><h2 style="text-align: center">A problem occurred while processing the request.</h2><p style="text-align: center">Logging ID=0ed0d548-13e4-4006-94b8-02f3363d7674</div></div></div><footer class="page-footer"><div class="container-fluid"><div class="page-footer__flex-row"><div class="page-footer__footer-id-placeholder" id="footer"></div><div class="page-footer__links rest_api hidden-xs"><a href="api/">REST API</a></div><div class="page-footer__links page-footer__links--white jenkins_ver"><a rel="noopener noreferrer" href="https://www.jenkins.io/" target="_blank">Jenkins 2.361.2</a></div></div></div></footer></body></html>

@gromero
Copy link
Contributor

gromero commented Jan 31, 2023

@driazati Hi. Do you know why I can't retrigger the CI in this PR? (see error above).

@driazati
Copy link
Member

driazati commented Jan 31, 2023

Not sure exactly what went wrong with Jenkins but it seems like there are a few legit CI errors still remaining

@gromero
Copy link
Contributor

gromero commented Jan 31, 2023

@driazati hm the error really doesn't seem to be related to the change proposed here. Could it be related to this change #13812 and so needs a CI retrigger indeed?

@driazati
Copy link
Member

driazati commented Jan 31, 2023

The lint error (https://ci.tlcpack.ai/blue/organizations/jenkins/tvm-lint/detail/PR-13751/3/pipeline) is definitely real so this will at least need a fix for that, a rebase probably wouldn't hurt either

@gromero
Copy link
Contributor

gromero commented Jan 31, 2023

The lint error (https://ci.tlcpack.ai/blue/organizations/jenkins/tvm-lint/detail/PR-13751/3/pipeline) is definitely real so this will at least need a fix for that, a rebase probably wouldn't hurt either

@driazati ah, fair enough! I was looking at a different log: https://ci.tlcpack.ai/blue/rest/organizations/jenkins/pipelines/tvm-arm/branches/PR-13751/runs/3/nodes/104/steps/142/log/?start=0

gromero
gromero requested changes Jan 31, 2023
View reviewed changes
Copy link
Contributor

@gromero gromero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@YuchenJin Thanks a lot for addressing the comments. Please see my new comments inline.

Also, since the exception message got longer, it's necessary to break the line accordingly to satisfy the linter (see David's comment above). Also, could you please rebase (not merge) your code onto HEAD? Thanks!

apps/microtvm/arduino/template_project/microtvm_api_server.py Outdated
def _safe_extract(tar, path=".", members=None, *, numeric_owner=False):
def is_within_directory(directory, member):

target = os.path.join(path, member.name)
Copy link
Contributor

@gromero gromero Jan 31, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

path here is being taken from the outer scope, i.e. from path="." arg in _safe_extract. path is also passed to _is_within_directory() as directory arg, so could it be changed to actually:

target = os.path.join(directory, member.name)

?

nit: If you wish, this line could be put immediately before the line where target is used, i.e. before line 185 (abs_target = ...).

Copy link
Contributor Author

@YuchenJin YuchenJin Feb 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @gromero for your suggestions! I rebased and updated, let's see if the ci complains this time. :)

@gromero gromero changed the title [microTVM] Fix security vulnerability CVE-2007-4559 [microTVM] Mitigate security vulnerability CVE-2007-4559 Jan 31, 2023
@gromero
Copy link
Contributor

gromero commented Feb 2, 2023

@tvm-bot rerun

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2023

Failed to re-run CI in https://github.com/apache/tvm/actions/runs/4078496473

Details 
Traceback (most recent call last):
  File "ci/scripts/github/github_tvmbot.py", line 594, in comment_failure
    raise item
  File "ci/scripts/github/github_tvmbot.py", line 700, in run
    pr.rerun_jenkins_ci()
  File "ci/scripts/github/github_tvmbot.py", line 553, in rerun_jenkins_ci
    post(url, auth=("tvm-bot", TVM_BOT_JENKINS_TOKEN))
  File "/home/runner/work/tvm/tvm/ci/scripts/jenkins/git_utils.py", line 53, in post
    with request.urlopen(req, data) as response:
  File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.8/urllib/request.py", line 531, in open
    response = meth(req, response)
  File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 569, in error
    return self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 500: Server Error

with response


  
  <!DOCTYPE html><html><head resURL="/static/bb039fcf" data-rooturl="" data-resurl="/static/bb039fcf" data-extensions-available="true" data-unit-test="false" data-imagesurl="/static/bb039fcf/images" data-crumb-header="Jenkins-Crumb" data-crumb-value="3c1b9a659e2c2a187791c264e1f48c17ea72118fd43e4e094e217d2b39b89af6d97968a9e170314798efd59a200e18f472d360bb7536b6abecb13ac73be976fd">
    
    

    <title>Jenkins [Jenkins]</title><link rel="stylesheet" href="/static/bb039fcf/jsbundles/styles.css" type="text/css"><link rel="stylesheet" href="/static/bb039fcf/css/responsive-grid.css" type="text/css"><link rel="shortcut icon" href="/static/bb039fcf/favicon.ico" type="image/vnd.microsoft.icon"><script src="/static/bb039fcf/scripts/prototype.js" type="text/javascript"></script><script src="/static/bb039fcf/scripts/behavior.js" type="text/javascript"></script><script src='/adjuncts/bb039fcf/org/kohsuke/stapler/bind.js' type='text/javascript'></script><script src="/static/bb039fcf/scripts/yui/yahoo/yahoo-min.js"></script><script src="/static/bb039fcf/scripts/yui/dom/dom-min.js"></script><script src="/static/bb039fcf/scripts/yui/event/event-min.js"></script><script src="/static/bb039fcf/scripts/yui/animation/animation-min.js"></script><script src="/static/bb039fcf/scripts/yui/dragdrop/dragdrop-min.js"></script><script src="/static/bb039fcf/scripts/yui/container/container-min.js"></script><script src="/static/bb039fcf/scripts/yui/connection/connection-min.js"></script><script src="/static/bb039fcf/scripts/yui/datasource/datasource-min.js"></script><script src="/static/bb039fcf/scripts/yui/autocomplete/autocomplete-min.js"></script><script src="/static/bb039fcf/scripts/yui/menu/menu-min.js"></script><script src="/static/bb039fcf/scripts/yui/element/element-min.js"></script><script src="/static/bb039fcf/scripts/yui/button/button-min.js"></script><script src="/static/bb039fcf/scripts/yui/storage/storage-min.js"></script><script src="/static/bb039fcf/scripts/hudson-behavior.js" type="text/javascript"></script><script src="/static/bb039fcf/scripts/sortable.js" type="text/javascript"></script><link rel="stylesheet" href="/static/bb039fcf/scripts/yui/container/assets/container.css" type="text/css"><link rel="stylesheet" href="/static/bb039fcf/scripts/yui/container/assets/skins/sam/container.css" type="text/css"><link rel="stylesheet" href="/static/bb039fcf/scripts/yui/menu/assets/skins/sam/menu.css" type="text/css"><link rel="search" href="/opensearch.xml" type="application/opensearchdescription+xml" title="Jenkins"><meta name="ROBOTS" content="INDEX,NOFOLLOW"><meta name="viewport" content="width=device-width, initial-scale=1"><script src="/static/bb039fcf/jsbundles/vendors.js" type="text/javascript"></script><script src="/static/bb039fcf/jsbundles/page-init.js" type="text/javascript"></script><script src="/static/bb039fcf/jsbundles/sortable-drag-drop.js" type="text/javascript"></script></head><body data-model-type="hudson.model.Hudson" id="jenkins" class="yui-skin-sam one-column jenkins-2.361.2" data-version="2.361.2"><a href="#skip2content" class="skiplink">Skip to content</a><header id="page-header" class="page-header"><div class="page-header__brand"><div class="logo"><a id="jenkins-home-link" href="/"><img src="/static/bb039fcf/images/svgs/logo.svg" alt="[Jenkins]" id="jenkins-head-icon"><img src="/static/bb039fcf/images/title.svg" alt="Jenkins" width="139" id="jenkins-name-icon" height="34"></a></div><a href="/" class="page-header__brand-link"><img src="/static/bb039fcf/images/svgs/logo.svg" alt="[Jenkins]" class="page-header__brand-image"><span class="page-header__brand-name">Jenkins</span></a></div><div class="searchbox hidden-xs"><form role="search" method="get" name="search" action="/search/" style="position:relative;" class="no-json"><div id="search-box-sizer"></div><div id="searchform"><input role="searchbox" name="q" placeholder="Search" id="search-box" class="main-search__input"><span class="main-search__icon-leading"><svg class="" class="" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" class="" viewBox="0 0 512 512"><title></title><path d="M221.09 64a157.09 157.09 0 10157.09 157.09A157.1 157.1 0 00221.09 64z" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="32"/><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="32" d="M338.29 338.29L448 448"/></svg></span><a href="https://www.jenkins.io/redirect/search-box" class="main-search__icon-trailing"><svg class="" class="" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M256 40a216 216 0 10216 216A216 216 0 00256 40z" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="38"/><path d="M200 202.29s.84-17.5 19.57-32.57C230.68 160.77 244 158.18 256 158c10.93-.14 20.69 1.67 26.53 4.45 10 4.76 29.47 16.38 29.47 41.09 0 26-17 37.81-36.37 50.8S251 281.43 251 296" fill="none" stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="38"/><circle cx="250" cy="360" r="25" fill="currentColor"/></svg></a><div id="search-box-completion" data-search-url="/search/"></div><script src='/adjuncts/bb039fcf/jenkins/views/JenkinsHeader/search-box.js' type='text/javascript'></script></div></form></div><div class="login page-header__hyperlinks"><div id="visible-am-insertion" class="page-header__am-wrapper"></div><div id="visible-sec-am-insertion" class="page-header__am-wrapper"></div><a href="/securityRealm/commenceLogin?from=%2Fjob%2Ftvm-minimal-cross-isa%2Fjob%2FPR-13751%2FbuildWithParameters"><b>log in</b></a></div></header><script src="/static/bb039fcf/jsbundles/keyboard-shortcuts.js" type="text/javascript"></script><div id="breadcrumbBar"><script src='/adjuncts/bb039fcf/lib/layout/breadcrumbs.js' type='text/javascript'></script><div class="top-sticker noedge"><div class="top-sticker-inner"><div class="jenkins-breadcrumbs"><ul id="breadcrumbs"><li class="item"><a href="/" class="model-link">Dashboard</a></li><li href="/" class="children"></li></ul><div id="breadcrumb-menu-target"></div></div></div></div></div><div id="page-body" class="clear"><div id="main-panel"><a name="skip2content"></a><h1 style="text-align: center"><img src="/static/bb039fcf/images/rage.svg" width="154" height="179"><span style="font-size:50px"> Oops!</span></h1><div id="error-description"><h2 style="text-align: center">A problem occurred while processing the request.</h2><p style="text-align: center">Logging ID=dac9674d-64f1-4693-ae93-946ccbb29959</div></div></div><footer class="page-footer"><div class="container-fluid"><div class="page-footer__flex-row"><div class="page-footer__footer-id-placeholder" id="footer"></div><div class="page-footer__links rest_api hidden-xs"><a href="api/">REST API</a></div><div class="page-footer__links page-footer__links--white jenkins_ver"><a rel="noopener noreferrer" href="https://www.jenkins.io/" target="_blank">Jenkins 2.361.2</a></div></div></div></footer></body></html>

@tqchen
Copy link
Member

tqchen commented Feb 28, 2023

@tvm-bot rerun

@disconnect3d
Copy link

disconnect3d commented Apr 7, 2023

Hi, just a random heads up that this fix for path traversal in tar.extractall is insufficient. Here you can read more information about it: python/cpython#74453 (comment)

@tqchen tqchen closed this Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guberti guberti guberti left review comments

@gromero gromero gromero requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@YuchenJin @tvm-bot @gromero @driazati @tqchen @disconnect3d @guberti