DescriptionDirectory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs440097, 440099

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


According to upstream this is the intended behaviour for the module.
Since this is a library interface to embed Tar functionality into applications
it is in order to not provide the full security safety belts one might
expect from an enduser application like tar(1). Plus, addressing this would
mean to diverge from upstream permanently and could break the behaviour
of external apps. Anyone who wants to see this "fixed" should rather file
a PEP on an improved tar interface with additional security guarantees
provided by design.

Search for package or bug name: Reporting problems