Source: jaraco.context Version: 6.0.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for jaraco.context. CVE-2026-23949[0]: | jaraco.context, an open-source software package that provides some | useful decorators and context managers, has a Zip Slip path | traversal vulnerability in the `jaraco.context.tarball()` function | starting in version 5.2.0 and prior to version 6.1.0. The | vulnerability may allow attackers to extract files outside the | intended extraction directory when malicious tar archives are | processed. The strip_first_component filter splits the path on the | first `/` and extracts the second component, while allowing `../` | sequences. Paths like `dummy_dir/../../etc/passwd` become | `../../etc/passwd`. Note that this suffers from a nested tarball | attack as well with multi-level tar files such as | `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a | traversal `dummy_dir/../../config/.env` that also gets translated to | `../../config/.env`. Version 6.1.0 contains a patch for the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-23949 https://www.cve.org/CVERecord?id=CVE-2026-23949 [1] https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2 [2] https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9 Regards, Salvatore
