CVE-2007-4559

Advisory

Pact-python 1.7.0 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

* 9c1132e - Merge pull request 325 from pact-foundation/pactflow_camelcase (Yousaf Nabi, Fri Jan 27 12:29:59 2023 +0000)
* 44cda33 - chore: /s/Pactflow/PactFlow (Yousaf Nabi, Thu Jan 26 16:11:54 2023 +0000)
* 1bbdd37 - feat: Enhance provider states for pact-message (322) (nsfrias, Tue Jan 24 17:04:29 2023 +0000)
* 53ca129 - chore: add workflow to create a jira issue for pactflow team when smartbear-supported label added to github issue (Beth Skurrie, Wed Jan 18 10:51:05 2023 +1100)
* d87d54b - fix: setup security issue (318) (Elliott Murray, Mon Nov 21 09:39:41 2022 +0000)
* 55f2a64 - fix: requirements_dev.txt to reduce vulnerabilities (317) (Matt Fellows, Sun Nov 6 02:12:30 2022 +1100)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559
• http://mail.python.org/pipermail/python-dev/2007-August/074290.html
• http://mail.python.org/pipermail/python-dev/2007-August/074292.html
• https://bugzilla.redhat.com/show_bug.cgi?id=263261
• http://secunia.com/advisories/26623
• http://www.vupen.com/english/advisories/2007/3022