1. 5

  2. 1

    This CVE was deemed working as expected (gotta love when that happens). Their patch is rather simple, wrapping the extractall call with some checks

    The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise.

    The first PR I found suggesting their patch was closed with a package collaborator remarking

    I have never seen Unsolicited Commercial Git Commits before. This is obnoxious at best, scaling to dangerous if more commonly committed.

    The CVE-2007-4559 is unpatched because it is working as expected. Thanks to @TrellixVulnTeam and @Kasimir123 for making me spend time running down what you already knew.

    I wonder what the acceptance rate is for these 61,000 PRs. This seems very ineffective. Were (post-2007) communications with the CPython team made before these PRs were rolled out?

    1. 1

      If they had communicated with Python ๐Ÿ would they have been able to claim they patched 61k projects? This seems like they are advertising for their services/project.

      The article is all about congratulating themselves on a job well done but no real info on what their patch introduces, why their patch should get accepted or why they felt that this would secure the world more and itโ€™s impact.

      1. 1

        After reading the linked issue thread and the follow-up it now seams that it is getting fixed. It is still working as expected, but what developers expect changed.