RHEL9 Python3 Directory Traversal Vulnerability (CVE-2024-12718)

Hey guys! Let's dive into this directory traversal vulnerability affecting Python 3 on Red Hat Enterprise Linux 9. It's been identified as SNYK-RHEL9-PYTHON3-10409385, and we're going to break down what it means, how it works, and most importantly, how to fix it. So, grab your favorite beverage, and let's get started!

Understanding the Vulnerability: CVE-2024-12718

At the heart of the matter is CVE-2024-12718, a vulnerability that can allow attackers to modify file metadata or permissions outside of the intended extraction directory when using Python's tarfile module. This is particularly concerning if you're dealing with untrusted tar archives. Imagine extracting a seemingly innocent archive, only to find out that it's been messing with files it shouldn't be touching! That's the kind of scenario we're talking about here.

The vulnerability specifically affects the use of TarFile.extractall() or TarFile.extract() with the filter= parameter set to either "data" or "tar". Now, you might be thinking, "What's this filter parameter all about?" Well, it's a feature introduced in Python 3.12 to provide some control over the extraction process. However, it turns out that these filters had some loopholes.

Versions Affected:

• Python versions 3.12 and later are where this issue comes into play because that's when the extraction filter feature was introduced. Older versions are not affected in the same way.
• Notably, Python 3.14 changed the default value of filter= to "data". So, if you're relying on this default behavior in Python 3.14 or later, you're potentially exposed.

It's important to note that this vulnerability doesn't significantly impact the installation of source distributions, which are also tar archives. Why? Because source distributions already allow arbitrary code execution during the build process. However, this doesn't mean you should throw caution to the wind! Always be wary of installing source distributions from untrusted sources with suspicious links.

How Does This Directory Traversal Work?

Okay, let's get a bit technical. Directory traversal vulnerabilities, in general, occur when an application doesn't properly validate user-supplied input that's used to construct file paths. An attacker can then manipulate this input to include special characters (like ../) that allow them to navigate up the directory tree and access files or directories they shouldn't have access to.

In this specific case, the vulnerability in the tarfile module's extraction filters allows an attacker to craft a malicious tar archive that, when extracted, can modify file metadata (like the last modified timestamp) or file permissions outside the intended extraction directory. Think of it as a sneaky way to tamper with your system's files without your knowledge!

The filter parameter in TarFile.extractall() and TarFile.extract() is meant to provide a level of security by limiting what operations are allowed during extraction. However, the "data" and "tar" filters were found to have weaknesses that could be exploited.

Remediation: How to Fix It

Alright, now for the most important part: how do we fix this? If you're using Red Hat Enterprise Linux 9, the solution is straightforward. You need to upgrade your python3 package to version 0:3.9.21-2.el9_6.1 or higher. This version includes the necessary patches to address the vulnerability.

Red Hat has released a security advisory (RHSA-2025:10136) that specifically addresses this issue. So, make sure you check that out for more details. Applying the updates provided by Red Hat is the recommended way to protect your system.

To upgrade your Python 3 package on RHEL 9, you can use the following yum command:

sudo yum update python3

This command will update the python3 package to the latest available version, which should include the fix for this vulnerability. After the update, it's always a good idea to restart any services that rely on Python to ensure the changes take effect.

Diving Deeper: References and Resources

For those of you who like to dig a bit deeper, here are some useful resources and references related to this vulnerability:

• CVE-2024-12718: The official CVE entry for this vulnerability, providing a detailed description and links to related information.
• Red Hat Security Advisory RHSA-2025:10136: The security advisory from Red Hat, detailing the fix for this vulnerability in RHEL 9.
• https://access.redhat.com/security/cve/CVE-2024-12718: Red Hat's specific CVE page for this vulnerability.
• https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f: A GitHub Gist providing additional context and analysis of the vulnerability.
• CPython Commits: Several commits in the CPython repository address this vulnerability. These commits provide insight into the specific code changes made to fix the issue. Some key commits include:
  • https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
  • https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
  • https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
  • https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9
  • https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e
  • https://github.com/python/cpython/commit/9c1110ef6652687d7c55f590f909720eddde965a
  • https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
  • https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1
• Python Bug Tracker: The Python bug tracker contains discussions and reports related to this vulnerability. Check out these issues for more context:
  • https://github.com/python/cpython/issues/135034
  • https://github.com/python/cpython/issues/127987
• Python Pull Request: The pull request that implemented the fix for this vulnerability:
  • https://github.com/python/cpython/pull/135037
• Python Security Mailing List: The email thread announcing the vulnerability:
  • https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/

These references should provide you with a comprehensive understanding of the vulnerability, its impact, and the steps taken to address it.

Best Practices for Handling Tar Archives

Beyond just patching this specific vulnerability, it's crucial to adopt some best practices when dealing with tar archives, especially when they come from untrusted sources. Here are a few tips to keep in mind:

1. Always validate the source: Before extracting any tar archive, make sure you trust the source. If you've downloaded it from a website or received it from someone you don't know, exercise caution.
2. Use the filter parameter wisely: If you're using Python 3.12 or later, be mindful of the filter parameter in TarFile.extractall() and TarFile.extract(). Consider using a more restrictive filter like "pax" or even implementing your own custom filter if you have specific security requirements.
3. Extract in a safe environment: If you're dealing with an archive from an untrusted source, consider extracting it in a sandboxed environment or a virtual machine. This can help limit the potential damage if the archive turns out to be malicious.
4. Regularly update your system: Keeping your operating system and software packages up to date is crucial for security. Updates often include patches for vulnerabilities like this one.

Conclusion

So, there you have it! We've covered the directory traversal vulnerability in RHEL9 Python3's tarfile module, discussed its impact, and provided clear steps on how to remediate it. Remember, staying informed and proactive is key to maintaining a secure system. Always keep your software updated, be cautious when handling untrusted archives, and follow security best practices.

By understanding vulnerabilities like this one, we can all contribute to a safer and more secure computing environment. Stay safe out there, folks!