Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2007-4559 Patch #990

Merged
merged 1 commit into from
Oct 11, 2022
Merged

CVE-2007-4559 Patch #990

merged 1 commit into from
Oct 11, 2022

Conversation

TrellixVulnTeam
Copy link
Contributor

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

@codecov-commenter
Copy link

codecov-commenter commented Oct 9, 2022
edited
Loading

Codecov Report

Base: 35.13% // Head: 35.06% // Decreases project coverage by -0.06% ⚠️

Coverage data is based on head (354a1c1) compared to base (8dea29e).
Patch coverage: 0.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #990      +/-   ##
==========================================
- Coverage   35.13%   35.06%   -0.07%     
==========================================
  Files          96       96              
  Lines       16804    16837      +33     
==========================================
  Hits         5904     5904              
- Misses      10900    10933      +33
Impacted Files Coverage Δ
dpgen/auto_test/lib/RemoteJob.py 0.00% <0.00%> (ø)
dpgen/dispatcher/SSHContext.py 21.70% <0.00%> (-1.07%) ⬇️
dpgen/remote/RemoteJob.py 0.00% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@njzjz njzjz changed the base branch from master to devel October 9, 2022 18:41
@njzjz
Copy link
Member

njzjz commented Oct 10, 2022

@wanghan-iapcm we may want to remove the old dispatcher at some time. Is it ok to start to remove it now?

@wanghan-iapcm
Copy link
Contributor

@wanghan-iapcm we may want to remove the old dispatcher at some time. Is it ok to start to remove it now?

I agree

@wanghan-iapcm wanghan-iapcm merged commit c757223 into deepmodeling:devel Oct 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@njzjz njzjz Awaiting requested review from njzjz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@TrellixVulnTeam @codecov-commenter @njzjz @wanghan-iapcm