Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix tarfile vulnerability #1003

Merged
merged 2 commits into from
Apr 6, 2023
Merged

Fix tarfile vulnerability #1003

merged 2 commits into from
Apr 6, 2023

Conversation

djdameln
Copy link
Contributor

@djdameln djdameln commented Apr 6, 2023

Description

  • Fix tar file vulnerability in line with CVE-2007-4559 Patch #830.
  • CVE-2007-4559 Patch #830 was opened some time ago, addressing a security vulnerability related to python's tarfile package. The PR was outdated (targeting an older version of our code), but the concern was valid, though we were technically not exposed to the vulnerability because we only extract tar files from hard-coded url's and always check the hash. Still I feel it's good practice to use the suggested safe extract where possible, so I repeated and slightly modified the suggested changes to make it more compatible with our code.

Changes

  • Bug fix (non-breaking change which fixes an issue)
  • Refactor (non-breaking change which refactors the code base)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist

  • My code follows the pre-commit style and check guidelines of this project.
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing tests pass locally with my changes
  • I have added a summary of my changes to the CHANGELOG (not for minor changes, docs and tests).

@djdameln djdameln mentioned this pull request Apr 6, 2023
Closed
ashwinvaidya17
ashwinvaidya17 approved these changes Apr 6, 2023
View reviewed changes
Copy link
Collaborator

@ashwinvaidya17 ashwinvaidya17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing this

@samet-akcay samet-akcay merged commit 74ac98e into openvinotoolkit:main Apr 6, 2023
@djdameln djdameln deleted the fix-tarfile-vulnerability branch December 4, 2024 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashwinvaidya17 ashwinvaidya17 ashwinvaidya17 approved these changes

@samet-akcay samet-akcay Awaiting requested review from samet-akcay

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@djdameln @ashwinvaidya17 @samet-akcay