10000 Multiple tarfile extraction filter bypasses (`filter="tar"`/`filter="data"`) · Issue #135034 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

Multiple tarfile extraction filter bypasses (filter="tar"/filter="data") #135034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sethmlarson opened this issue Jun 2, 2025 · 0 comments
Closed

Multiple tarfile extraction filter bypasses (filter="tar"/filter="data") #135034

sethmlarson opened this issue Jun 2, 2025 · 0 comments
Labels
triaged The issue has been accepted as valid by a triager. type-security A security issue

Comments

@sethmlarson
Copy link
Contributor
sethmlarson commented Jun 2, 2025
edited by encukou
Loading

Bug description:

Public issue for fixing CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718. See full advisory on security-announce.

[edit @encukou]: Also addresses CVE-2025-4435. Sorry for leaving that out of the commit messages.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs
@sethmlarson sethmlarson added the type-security A security issue label Jun 2, 2025
@picnixz picnixz added the triaged The issue has been accepted as valid by a triager. label Jun 2, 2025
@ambv ambv mentioned this issue Jun 2, 2025
Merged
ambv added a commit to ambv/cpython that referenced this issue Jun 2, 2025
@ambv @encukou
pythongh-135034: Normalize link targets in tarfile, add `os.path.real…
0c16f5f 
…path(strict='allow_missing')`

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
@bedevere-app bedevere-app bot mentioned this issue Jun 2, 2025
Merged
Yhg1s pushed a commit that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka
gh-135034: Normalize link targets in tarfile, add `os.path.realpath(s…
3612d8f 
…trict='allow_missing')` (#135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Yhg1s pushed a commit to Yhg1s/cpython that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.13] pythongh-135034: Normalize link targets in tarfile, add `os.pa…
2637f45 
…th.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
ambv added a commit to ambv/cpython that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka
pythongh-135034: Normalize link targets in tarfile, add `os.path.real…
553d40f 
…path(strict='allow_missing')` (python#135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 3612d8f)
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
Yhg1s pushed a commit to Yhg1s/cpython that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.12] pythongh-135034: Normalize link targets in tarfile, add `os.pa…
c358142 
…th.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
Yhg1s pushed a commit to Yhg1s/cpython that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.11] pythongh-135034: Normalize link targets in tarfile, add `os.pa…
371b4ea 
…th.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)
(cherry picked from commit c358142)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
Yhg1s pushed a commit to Yhg1s/cpython that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.10] pythongh-135034: Normalize link targets in tarfile, add `os.pa…
4d959a0 
…th.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)
(cherry picked from commit c358142)
(cherry picked from commit 371b4ea)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
ambv added a commit that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka
[3.14] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
9e0ac76 
…lpath(strict='allow_missing')` (gh-135037) (gh-135065)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

(cherry picked from commit 3612d8f)

Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Yhg1s pushed a commit to Yhg1s/cpython that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.9] pythongh-135034: Normalize link targets in tarfile, add `os.pat…
a12f367 
…h.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Yhg1s pushed a commit to Yhg1s/cpython that referenced this issue Jun 3, 2025
@ambv @encukou
@sethmlarson @AA-Turner @serhiy-storchaka @Yhg1s
[3.9] pythongh-135034: Normalize link targets in tarfile, add `os.pat…
ab834f4 
…h.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
ambv added a commit that referenced this issue Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.13] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
aa9eb5f 
…lpath(strict='allow_missing')` (GH-135037) (GH-135064)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv added a commit that referenced this issue Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.12] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
19de092 
…lpath(strict='allow_missing')` (GH-135037) (GH-135066)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.

(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
encukou added a commit to encukou/cpython that referenced this issue Jun 3, 2025
@encukou
[3.12] pythongh-135034: Remove test_realpath_permission
ac560d1 
The test was added in pythongh-110298, with a fix that was never backported
to 3.12 and below.
It was most likely skipped in the GHA run.
@bedevere-app bedevere-app bot mentioned this issue Jun 3, 2025
Merged
ambv pushed a commit that referenced this issue Jun 3, 2025
@encukou
[3.12] gh-135034: Remove test_realpath_permission (GH-135093)
28463db 
The test was added in gh-110298, with a fix that was never backported
to 3.12 and below.
It was most likely skipped in the GHA run.
ambv added a commit that referenced this issue Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.11] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
4633f3f 
…lpath(strict='allow_missing')` (GH-135037) (GH-135068)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)
(cherry picked from commit c358142)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv added a commit that referenced this issue Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.10] gh-135034: Normalize link targets in tarfile, add `os.path.rea…
9c1110e 
…lpath(strict='allow_missing')` (GH-135037) (#135070)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)
(cherry picked from commit c358142)
(cherry picked from commit 371b4ea)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv added a commit that referenced this issue Jun 3, 2025
@Yhg1s @ambv
@encukou @sethmlarson @AA-Turner @serhiy-storchaka
[3.9] gh-135034: Normalize link targets in tarfile, add `os.path.real…
dd8f187 
…path(strict='allow_missing')` (GH-135037) (GH-135084)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@sethmlarson sethmlarson changed the title (TODO) Empty tracking issue Multiple tarfile extraction filter bypasses (filter="tar"/filter="data") Jun 3, 2025
@xry111 xry111 mentioned this issue Jun 4, 2025
Closed
@github-actions github-actions bot mentioned this issue Jun 4, 2025
Closed
1 task
@brianschubert brianschubert mentioned this issue Jun 5, 2025
Merged
@github-actions github-actions bot mentioned this issue Jun 6, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged The issue has been accepted as valid by a triager. type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@picnixz @pablogsal @sethmlarson
0