cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard

Published 20 hours ago verified publisher icon intel

feat: add unblob based tarfile extractor

Open joydeep049 opened this issue 1 year ago • 5 comments

Following the discussion on https://github.com/intel/cve-bin-tool/issues/3841 , I propose that we should add a unblob based tarfile extractor, since the 'tarfile' library is vulnerable to path traversal, and thus has a high severity score.

The only downside to this would be that unblob doesn't seem to work on windows. But since cve-bin-tool is mostly made to use for linux, I thought what's the problem! :)

Let me know what you think about this @terriko @ffontaine .

joydeep049 avatar Feb 26 '24 14:02 joydeep049

Since I'm already familiar with extractors, I would like to work on this.

joydeep049 avatar Feb 26 '24 14:02 joydeep049

Darnit, if this doesn't work on windows, unblob is going to have to go way down my priority list. We absolutely need a solution for windows first. (not having a solution for windows is currently the ONLY thing blocking the 3.3 release).

terriko avatar Feb 26 '24 19:02 terriko

Then I guess we have to research more ways to extract tar files, or wait for unblob to release a windows version

joydeep049 avatar Feb 26 '24 19:02 joydeep049

Waiting is definitely not an option for the 3.3 release! I need a fix within the next couple of weeks or we'll have to ask windows users to install tar going forwards.

terriko avatar Feb 26 '24 21:02 terriko

Waiting is definitely not an option for the 3.3 release! I need a fix within the next couple of weeks or we'll have to ask windows users to install tar going forwards.

I'll do some research and let you know by the end of the week

joydeep049 avatar Feb 27 '24 15:02 joydeep049

Hello @terriko @ffontaine @anthonyharrison , I did some research but was not able to find any python library which extracts tar files for both windows and linux. But what we could do is use the tar command using the subprocess module to extract tarfiles. The only catch is that the windows users should have tar command installed and added to the PATH variables, since in windows its not pre-installed sometimes. If this works I'll have the PR ready soon. Thanx!

joydeep049 avatar Mar 03 '24 13:03 joydeep049

I've started experimenting in this in https://github.com/intel/cve-bin-tool/pull/3849 but neither calling tar directly nor 7z seems to be doing what I'm expecting. I haven't actually put much effort into debugging it, so it could be a matter of how they need to be called, an argument I have incorrect, or inpath() not behaving as expected on windows. Or it could be something about how those things are installed in the CI environment specifically.

Don't let the fact that I did the first experiments deter you from experimenting. My plan for that PR is to revert the windows code so we can at least get the test merged when I've got time to clean that one up for code review. (probably Monday) So any further work on windows I'd expect to be in a separate PR and it doesn't have to come from me if someone else finds a solution first.

terriko avatar Mar 07 '24 21:03 terriko

We currently have an acceptable (if not exceptional) solution for tarfile, including on windows (where we just require python 3.12+). I don't think we're going to revisit the unblob idea so I'm going to close this.

terriko avatar Apr 17 '24 23:04 terriko