CVE-2007-4559

Advisory

Jupyter-archive 3.3.2 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

What's Changed

- Bug fix :bug:
* Fix path traversal vulnerability by aidy1991 in https://github.com/jupyterlab-contrib/jupyter-archive/pull/100
* Show error message dialog when failed to extract an archive file by aidy1991 in https://github.com/jupyterlab-contrib/jupyter-archive/pull/101

- Maintenance :construction:
* Bump moment from 2.29.1 to 2.29.2 by dependabot in https://github.com/jupyterlab-contrib/jupyter-archive/pull/95
* Bump shell-quote from 1.7.2 to 1.7.3 by dependabot in https://github.com/jupyterlab-contrib/jupyter-archive/pull/96
* Bump terser from 5.7.0 to 5.14.2 by dependabot in https://github.com/jupyterlab-contrib/jupyter-archive/pull/97
* Bump moment from 2.29.2 to 2.29.4 by dependabot in https://github.com/jupyterlab-contrib/jupyter-archive/pull/98
* Bump to 3.3.2 by fcollonval in https://github.com/jupyterlab-contrib/jupyter-archive/pull/102


**Full Changelog**: https://github.com/jupyterlab-contrib/jupyter-archive/compare/v3.3.1...v3.3.2

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559
• http://mail.python.org/pipermail/python-dev/2007-August/074290.html
• http://mail.python.org/pipermail/python-dev/2007-August/074292.html
• https://bugzilla.redhat.com/show_bug.cgi?id=263261
• http://secunia.com/advisories/26623
• http://www.vupen.com/english/advisories/2007/3022