YuchenJin opened a new pull request, #13751: URL: https://github.com/apache/tvm/pull/13751
Borrowed from https://github.com/tlc-pack/relax/pull/335. The original author is @TrellixVulnTeam from the Advanced Research Center at [Trellix](https://www.trellix.com). This PR patches the security vulnerability CVE-2007-4559 in the codebase. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. Further technical information about the vulnerability can be found in this [blog](https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html). --- Co-authored-by: TrellixVulnTeam <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
