This is the committed fix:
https://github.com/intel/cve-bin-tool/commit/b4feb03f19acecc1
The fix is twofold:
1) If tarfile extraction filters are available (initially added in
Python 3.12, but also backported to 3.11.4, 3.10.12, 3.9.17 and 3.8.17)
in the standard library, the code makes use of that.
2) Otherwise, it tries to sanitize tar files on its own, like this:
for tarmember in members:
if tarmember.isfile() and str(
Path(extraction_path, tarmember.name).resolve()
).startsWith(extraction_path):
yield tarmember
This cleverly sidesteps path traversal by not extracting anything at
all, because...
AttributeError: 'str' object has no attribute 'startsWith'. Did you mean:
'startswith'?
But the custom filter wouldn't be sound even with the typo fixed,
because str.startswith() and Path.resolve() are wrong tools for the job.
Anyway, I suspect that cve-bin-tool's extractors for other file formats
are still vulnerable to path traversal, so I wouldn't recommend running
it against untrusted files.
--
Jakub Wilk
