Source: pypy3 X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for pypy3. CVE-2026-7774[0]: | tarfile.data_filter could be bypassed using crafted link entries, | including symlinks with empty or directory-like names, to redirect | later archive members outside the intended extraction directory. | This allowed a malicious tar archive to cause tarfile.extractall() | to write files outside the destination directory, subject to the | permissions of the extracting process. Fix in cpython: https://www.openwall.com/lists/oss-security/2026/06/04/9 https://github.com/python/cpython/pull/149487 https://github.com/python/cpython/commit/578411982c16f753f4893532510099ef665117da (main) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-7774 https://www.cve.org/CVERecord?id=CVE-2026-7774 Please adjust the affected versions in the BTS as needed.

