Listen to this Post
This vulnerability exists in pip’s fallback code for extracting tar archives on Python versions that do not implement PEP 706. When Python’s built-in `tarfile` module lacks the security features from PEP 706, pip uses its own extraction logic. The flaw is that this custom logic did not properly validate that symbolic links inside a tar file point to a location within the intended extraction directory. An attacker could create a malicious package containing a tar archive with a symlink that points to an arbitrary location on the victim’s filesystem, such as ../../../etc/passwd. During installation, pip would follow this symlink and write files outside the safe extraction target, potentially overwriting critical system files. This allows for arbitrary file write and directory traversal, leading to a compromise of the system integrity. The issue is mitigated by using a Python version that already includes PEP 706.
Platform: Python/pip
Version: <24.3.1
Vulnerability: Directory Traversal
Severity: Moderate
date: 2024-09-24
Prediction: Patch expected 2024-10-01
What Undercode Say:
Simulating malicious tar creation tar -cvf malicious.tar --transform 's,^,malicious-package/,' ./link-to-etc ln -sf /etc/passwd link-to-etc Using pip to install (vulnerable version) pip install ./malicious-package.tar.gz
Example check for PEP 706 support
import tarfile
if hasattr(tarfile, 'data_filter'):
print("PEP 706 supported - pip uses secure tarfile")
else:
print("Using pip's fallback - potentially vulnerable")
How Exploit:
Create a malicious source distribution (sdist) with a tar archive containing symbolic links that traverse outside the extraction directory. When a user installs this package with a vulnerable version of pip on an unsupported Python version, the symlink is followed, allowing arbitrary file overwrite.
Protection from this CVE
Upgrade pip to version 24.3.1 or later. Alternatively, upgrade the underlying Python interpreter to a version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12). This ensures the secure `tarfile` module is used instead of pip’s fallback code.
Impact:
Arbitrary file overwrite, leading to system compromise, denial of service, or privilege escalation if critical files are modified.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
