Source: pypy3
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for pypy3.

CVE-2026-11940[0]:
| tarfile.extractall() with the 'data' or 'tar'  filter could be
| bypassed by a crafted archive where a hardlink  references a symlink
| stored at a deeper name than the hardlink itself.   The extraction
| fallback validated the symlink at it's archived location  but
| recreated it at the hardlink's shallower path, letting a relative
| target the filter judged contained escape the destination
| directory.   This allowed a malicious tar archive to create a
| symlink pointing  outside the destination, enabling out-of-
| destination file reads or  writes. This was an incomplete fix of
| CVE-2025-4330.

https://github.com/python/cpython/issues/151558
https://github.com/python/cpython/pull/151559
https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df
 (3.15 branch)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-11940
    https://www.cve.org/CVERecord?id=CVE-2026-11940

Please adjust the affected versions in the BTS as needed.

Reply via email to