Fix CVE-2007-4559 by adding filter parameter to tarfile.extractall

(cherry picked from commit 5fe21d591acf1983cf2515a768885427f2f300c8)
2023-08-07 14:46:53 +08:00 · 2023-08-07 14:46:53 +08:00 · c2474ce9e7
commit c2474ce9e7
parent de933dcde4
2 changed files with 2469 additions and 3 deletions
--- a/backport-CVE-2007-4559.patch
+++ b/backport-CVE-2007-4559.patch
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/

 Version: 3.9.9
-Release: 24
+Release: 25
 License: Python-2.0

 %global branchversion 3.9
@ -104,6 +104,7 @@ Patch6010: backport-CVE-2022-42919.patch
 Patch6011: backport-CVE-2022-45061.patch
 Patch6012: backport-CVE-2022-37454.patch
 Patch6013: backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
+Patch6014: backport-CVE-2007-4559.patch

 Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
 Patch9001: python3-Add-sw64-architecture.patch
@ -207,6 +208,7 @@ rm -r Modules/expat
 %patch6011 -p1
 %patch6012 -p1
 %patch6013 -p1
+%patch6014 -p1

 %patch9000 -p1
 %patch9001 -p1
@ -244,7 +246,7 @@ export LDFLAGS_NODIST="%{build_ldflags} -g $(pkg-config --libs-only-L openssl)"

 %ifarch %{arm} aarch64
 export CFLAGS="$CFLAGS -funsigned-char"
-%endif 
+%endif

 DebugBuildDir=build/debug
 mkdir -p ${DebugBuildDir}
@ -836,6 +838,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*

 %changelog
+* Mon Aug 07 2023 zhaoyu <zhaoyu64@huawei.com>- 3.9.9-25
+- Type:CVE
+- CVE:CVE-2007-4559
+- SUG:NA
+- DESC:Add a filter parameter to tarfile.extractall will allow users to avoid CVE-2007-4559 by changing their code/settings.
+
 * Thu Apr 06 2023 shixuantong <shixuantong1@huawei.com>- 3.9.9-24
 - Type:CVE
 - CVE:CVE-2023-24329
@ -990,7 +998,7 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 - Type:bugfix
 - ID:NA
 - SUG:NA
- DESC:deleting gdb build dependency 
+- DESC:deleting gdb build dependency

 * Mon May 31 2021 shixuantong<shixuantong@huawei.com> - 3.8.5-11
 - Type:CVE