There is a correction for the mitigation. The mitigation code CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718 is now provided in this Gist: https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f
On Tue, Jun 3, 2025 at 8:01 AM Seth Larson <s...@python.org> wrote: > There are multiple advisories (1 CRITICAL, 3 HIGH, 1 MODERATE) affecting > the CPython tarfile module. > > ## Bypasses in tarfile extraction filtering > > These three vulnerabilities are all different methods of bypassing tar > extraction filtering which is a feature in Python 3.12 and later. > > > You are affected by this vulnerability if using the tarfile module to > extract untrusted tar archives using TarFile.extractall() or > TarFile.extract() using the filter= parameter with a value of "data" or > "tar". See the tarfile extraction filters documentation for more > information. Only Python versions 3.12 or later are affected by these > vulnerabilities, earlier versions don't include the extraction filter > feature. > > Note that for Python 3.14 or later the default value of filter= changed > from "no filtering" to `"data", so if you are relying on this new default > behavior then your usage is also affected. > > Note that none of these vulnerabilities significantly affect the > installation of source distributions which are tar archives as source > distributions already allow arbitrary code execution during the build > process. However when evaluating source distributions it's important to > avoid installing source distributions with suspicious links. > > Note that when extracting an untrusted tar archive without extraction > filtering enabled already allows for arbitrary write access outside of the > extraction directory. > > * CVE-2025-4517 <https://www.cve.org/CVERecord?id=CVE-2025-4517> > (CRITICAL) allows arbitrary filesystem writes outside the extraction > directory during extraction with filter="data". > > * CVE-2025-4330 <https://www.cve.org/CVERecord?id=CVE-2025-4330> (HIGH) > allows the extraction filter to be ignored, allowing symlink targets to > point outside the destination directory, and the modification of some file > metadata. > > * CVE-2025-4138 <https://www.cve.org/CVERecord?id=CVE-2025-4138> (HIGH) > allows creating arbitrary symlinks outside the extraction directory during > extraction with filter="data". > > * CVE-2024-12718 <https://www.cve.org/CVERecord?id=CVE-2024-12718> (MODERATE) > allows modifying some file metadata (e.g. last modified) with > `filter="data"` or file permissions (chmod) with `filter="tar"` of files > outside the extraction directory. > > ## Filtered members not skipped with TarFile.errorlevel = 0 > > When using a `TarFile.errorlevel = 0` and extracting with a filter the > documented behavior is that any filtered members would be skipped and not > extracted. However the actual behavior of `TarFile.errorlevel = 0` in > affected versions is that the member would still be extracted and not > skipped. > > * CVE-2025-4435 <https://www.cve.org/CVERecord?id=CVE-2025-4435> (HIGH) > > ## Mitigation > > The recommended mitigation is to upgrade your Python version to a fixed > version or apply the patch(es) linked within the CVEs. If you cannot patch > or upgrade, rejecting all links with the parent directory segment (`".."`) > prior to calling extract will mitigate the vulnerabilities below: > > ``` > # Avoid insecure segments in link names. > for member in tar.getmembers(): > if not member.islnk(): > continue > if os.pardir in os.path.split(member.linkname): > raise OSError("Tarfile with insecure segment ('..') in linkname") > > # Now safe to extract members with the data filter. > tar.extractall(filter="data") > ``` > > Please see the linked CVE IDs for the latest information on affected > versions. > > >
_______________________________________________ Security-announce mailing list -- security-annou...@python.org To unsubscribe send an email to security-announce-le...@python.org https://mail.python.org/mailman3//lists/security-announce.python.org Member address: arch...@mail-archive.com