CVE-2007-4559

Advisory

Pypdfium2 3.9.0 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Summary (pypdfium2)

- PDFium should now be compatible with Docker again.
- In setup code, implemented a workaround to sanitize tar archives on extraction, preventing CVE-2007-4559 directory path traversal attacks in case of malicious input.
Thanks to Kasimir Schulz of Trellix Research.
*Note that wheels have never been affected, and that this issue could only be exploited with a malicious release of pdfium-binaries. Nonetheless, to be safe, older versions of pypdfium2 should not be installed from source anymore.*


<details>
<summary>PDFium commit log</summary>

Commits between [`5418`](https://pdfium.googlesource.com/pdfium/+/refs/heads/chromium/5418) and [`5431`](https://pdfium.googlesource.com/pdfium/+/refs/heads/chromium/5431) (latest commit first):

* [`d5356204a`](https://pdfium.googlesource.com/pdfium/+/d5356204ae6c8a4f699a93387dd7ae1c3daff234) Support --md5 with pdfium_test --skp
* [`c5069d06b`](https://pdfium.googlesource.com/pdfium/+/c5069d06b233490848cdb84abc18fc0c5c8c82c1) Pass const arrays as spans in faxmodule.cpp, part 2.
* [`7bf268c53`](https://pdfium.googlesource.com/pdfium/+/7bf268c5368f5bb50b4d208a61dee8ed628713ed) Replace memcpy() with safer spancpy() in fx_crypt.cpp
* [`fb5521ae8`](https://pdfium.googlesource.com/pdfium/+/fb5521ae8881eb13005625e945f2b56825857a86) Pass const arrays as spans in faxmodule.cpp
* [`ef2d236ee`](https://pdfium.googlesource.com/pdfium/+/ef2d236ee3c81ebdb0b4512b818d44024e9ee2ea) Refactor pdfium_test's rendering paths into classes
* [`5c18e8738`](https://pdfium.googlesource.com/pdfium/+/5c18e87384083a61b76e2f04d234c41ebb76a765) Replace pointer arithmetic with spans in CFX_BinaryBuf.
* [`61e618955`](https://pdfium.googlesource.com/pdfium/+/61e618955b7b708824590794c2e8b18bd63ab3ed) Pass spans to ToString<T>().
* [`fe90654d8`](https://pdfium.googlesource.com/pdfium/+/fe90654d88d53fe3206a60adef8fa4ed5628f191) Pass constant arrays as spans to StringTo<T>()
* [`9b25e9814`](https://pdfium.googlesource.com/pdfium/+/9b25e9814e782ff55deaebd6da8b9ec549ef1590) Populate bitmaps even when using SkPictureRecorder
* [`7905fe91e`](https://pdfium.googlesource.com/pdfium/+/7905fe91e3fc8c42161270757dd1fc6845ab9ee9) Use spancpy()/spanset() in cfx_bmpdecompressor.cpp
* [`2dcc45a1a`](https://pdfium.googlesource.com/pdfium/+/2dcc45a1aabc1875a5cc464bb3785c7e16e048ff) Construct pdfium::span<T> from std::array<T, N>.
* [`f446aae6c`](https://pdfium.googlesource.com/pdfium/+/f446aae6c5ff6cb13141eac8d7a06d6496eb3b15) Enable Skia PNG encoder
* [`05eaf8b28`](https://pdfium.googlesource.com/pdfium/+/05eaf8b284251453b95ecc3beb8a8c4ecf7071fc) Update FRC_10_8.2.4_View_C.pdf entry in the suppression list
* [`730e59911`](https://pdfium.googlesource.com/pdfium/+/730e599117371fa5ba3ac93c1a042285b786c993) Delete //third_party/libpng16
* [`e66603249`](https://pdfium.googlesource.com/pdfium/+/e66603249a8a1ba0847c035821c9f1e94dcf0487) Use shared //third_party/libpng dependency
* [`efd00c258`](https://pdfium.googlesource.com/pdfium/+/efd00c25860738ab03f6f692ce8943aa6533d1ec) Add third_party/libpng
* [`cc3a9be4b`](https://pdfium.googlesource.com/pdfium/+/cc3a9be4bfadc7681eb1346d58b3e7aff563afed) Fix the crash in CFX_SkiaDeviceDriver::StartDIBitsSkia().
* [`66245bea2`](https://pdfium.googlesource.com/pdfium/+/66245bea278b82101d7462b6a4691186b16dddcb) Place CLZWDecoder::decode_stack_ and codes_ into data partition
* [`b92231f9e`](https://pdfium.googlesource.com/pdfium/+/b92231f9e47b264e037be124e3b42ce14f07c47a) Update imports in coverage_report.py.
* [`247aff6cb`](https://pdfium.googlesource.com/pdfium/+/247aff6cbfd073887c30fd591f980ea4399f2f15) Roll third_party/freetype/src/ 0b62c1e43..63ccaef07 (20 commits)
* [`cc53629d5`](https://pdfium.googlesource.com/pdfium/+/cc53629d5cddb90b5a01f160594eb2a9addb9c6e) Roll base/allocator/partition_allocator/ cb1f2e8e0..9f2740129 (24 commits)
* [`0cd76726a`](https://pdfium.googlesource.com/pdfium/+/0cd76726afb0b013534e16e91ea6ad1b9bbe7d64) Give SkUserConfig.h a unique filename.
* [`5eda47dd4`](https://pdfium.googlesource.com/pdfium/+/5eda47dd4c3ce95c84188c042cf4823764a3e500) Remove a check that is always true in CPDF_IndexedCS.
* [`b4b2831a7`](https://pdfium.googlesource.com/pdfium/+/b4b2831a719c39834a0250a0169494cc25472a8f) Avoid needless casting to uint8_t* in cfx_dibbase.cpp
* [`69bddfee8`](https://pdfium.googlesource.com/pdfium/+/69bddfee86d1b95b92413a9b8e96b3a9cca0f8e3) fix some clang-tidy member init suggestions.
* [`b9efec82e`](https://pdfium.googlesource.com/pdfium/+/b9efec82ee1ac3623fe7574591118bf2c5321a36) Check resolution_levels_to_skip value in CJPX_Decoder::Init().
* [`d4d1ae357`](https://pdfium.googlesource.com/pdfium/+/d4d1ae35751d6957cbadc07fb60b5c13b9ac2980) Simplify a loop inside CBC_OneDimWriter::RenderResult().
* [`a067234d6`](https://pdfium.googlesource.com/pdfium/+/a067234d64cb13f3bb7e4a6265fa93413d8e1e42) Install CIPD ninja using DEPS

</details>

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559
• http://mail.python.org/pipermail/python-dev/2007-August/074290.html
• http://mail.python.org/pipermail/python-dev/2007-August/074292.html
• https://bugzilla.redhat.com/show_bug.cgi?id=263261
• http://secunia.com/advisories/26623
• http://www.vupen.com/english/advisories/2007/3022