[Buildroot] [PATCH] utils/scanpypi: protect against zip-slip vulnerability in zip/tar handling

Peter Korsgaard peter at korsgaard.com
Thu Feb 21 12:54:29 UTC 2019


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > For details, see https://github.com/snyk/zip-slip-vulnerability
 > Older python versions do not validate that the extracted files are inside
 > the target directory.  Detect and error out on evil paths before extracting
 > .zip / .tar file.

 > Given the scope of this (zip issue was fixed in python 2.7.4, released
 > 2013-04-06, scanpypi is only used by a developer when adding a new python
 > package), the security impact is fairly minimal, but it is good to get it
 > fixed anyway.

 > Reported-by: Bas van Schaik <security-reports at semmle.com>
 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2018.02.x and 2018.11.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list