CVE-2007-4559

Advisory

Forcebalance 1.9.5 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Changes and Improvements:
- The optional output file for MM and QM energy comparison now includes a column for the magnitude of the (MM-QM) force difference.
- Compatibility changes for the latest version of OpenMM, in particular, the changes to the API for AMOEBA forces that were introduced in version 7.6.
- Compatibility changes for the latest version of OpenFF Toolkit and Evaluator (Jeff Wagner & Matt Thompson).
- Compatibility changes to support GROMACS up to version 2019.6. Around 2018 GROMACS no longer wrote variable precision .gro files (and the default 3 digit precision was insufficient) so we changed our trjconv calls to write .g96 files instead and added a .g96 parser. Major GROMACS releases after 2019 removed the support for vacuum simulations so we do not support those versions.
- Properly implemented the feature to remove microiteration folders. The previous implementation never worked.
- Added a parser for the updated Psi4 format for vibrational calculations (John Stoppelman).
- More secure .tar file extraction (auto-added by Trellix vuln team).
- Changed the expected output in the OpenFF torsion profile test because newer versions of the toolkit changed the default charge assignment method.
- Changed some AMOEBA vdW sigma parameters from 0 to 1 for particles with no vdW interactions because the newer OpenMM version gives a divide-by-zero error if the sigma parameter is set to 0.
- Removed the default frequency scaling function call in make-vdata.py. It now writes unscaled frequencies. Users are encouraged to set their own scale factors corresponding to the QM method.

Known issues:

- The interface to AMOEBA forces in OpenMM requires OpenMM version 8.0 or higher. However, as of this release, the latest version of OpenFF Evaluator (0.4.2) requires OpenMM version 7.7 or lower. Therefore there is no single version of OpenMM that works for both of these features. The next release of OpenFF Evaluator will most likely be OpenMM 8 compatible. For now, the recommendation for users is to install the OpenMM version that corresponds to your project.
- The interface to OpenFF Recharge is still not working. This will probably be fixed in a future release of OpenFF Recharge.

Pull requests:
* Fix OpenFF torsiondrive and evaluator interface by j-wags in https://github.com/leeping/forcebalance/pull/282
* Update global parameters in a `CustomBondForce` by jthorton in https://github.com/leeping/forcebalance/pull/263
* Several small fixes by leeping in https://github.com/leeping/forcebalance/pull/281
* fix: evaluator unit bug by wenyan4work in https://github.com/leeping/forcebalance/pull/277
* CVE-2007-4559 Patch by TrellixVulnTeam in https://github.com/leeping/forcebalance/pull/268
* Frequency psi update by jstoppelman in https://github.com/leeping/forcebalance/pull/245
* V195 final fixes by leeping in https://github.com/leeping/forcebalance/pull/283

New contributors:
* wenyan4work made their first contribution in https://github.com/leeping/forcebalance/pull/277
* TrellixVulnTeam made their first contribution in https://github.com/leeping/forcebalance/pull/268

**Full Changelog**: https://github.com/leeping/forcebalance/compare/v1.9.4...v1.9.5

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559
• http://mail.python.org/pipermail/python-dev/2007-August/074290.html
• http://mail.python.org/pipermail/python-dev/2007-August/074292.html
• https://bugzilla.redhat.com/show_bug.cgi?id=263261
• http://secunia.com/advisories/26623
• http://www.vupen.com/english/advisories/2007/3022