cpython/Misc/NEWS.d/next/Security/2025-06-02-11-32-23.gh-issue-135034.RLGjbp.rst at 9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a - Stowage/cpython - Remotebranch.eu

Stowage/cpython

mirror of https://github.com/python/cpython.git synced 2025-12-31 04:23:37 +00:00

Łukasz Langa 9e0ac76d96

[3.14] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (gh-135037) (gh-135065)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

(cherry picked from commit 3612d8f517)

Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

2025-06-03 14:05:00 +02:00

6 lines

250 B

ReStructuredText

Raw Blame History

 Fixes multiple issues that allowed ``tarfile`` extraction filters
 (``filter="data"`` and ``filter="tar"``) to be bypassed using crafted
 symlinks and hard links.
 Addresses :cve:`2024-12718`, :cve:`2025-4138`, :cve:`2025-4330`, and :cve:`2025-4517`.