Source: pypy3
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for pypy3.

CVE-2026-7774[0]:
| tarfile.data_filter could be bypassed using crafted link entries,
| including symlinks with empty or directory-like names, to redirect
| later archive members outside the intended extraction directory.
| This allowed a malicious tar archive to cause tarfile.extractall()
| to write files outside the destination directory, subject to the
| permissions of the extracting process.

Fix in cpython:
https://www.openwall.com/lists/oss-security/2026/06/04/9
https://github.com/python/cpython/pull/149487
https://github.com/python/cpython/commit/578411982c16f753f4893532510099ef665117da
 (main)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-7774
    https://www.cve.org/CVERecord?id=CVE-2026-7774

Please adjust the affected versions in the BTS as needed.

Reply via email to