Skip to content

gh-130577: tarfile now validates archives to ensure member offsets are non-negative#137027

Merged
ethanfurman merged 3 commits intopython:mainfrom
aeurielesn:gh-130577
Jul 28, 2025
Merged

gh-130577: tarfile now validates archives to ensure member offsets are non-negative#137027
ethanfurman merged 3 commits intopython:mainfrom
aeurielesn:gh-130577

Conversation

@aeurielesn
Copy link
Contributor

@aeurielesn aeurielesn commented Jul 22, 2025
edited by github-actions bot
Loading

@aeurielesn aeurielesn requested a review from ethanfurman as a code owner July 22, 2025 22:44
@bedevere-app bedevere-app bot mentioned this pull request Jul 22, 2025
Closed
gpshead
gpshead approved these changes Jul 25, 2025
View reviewed changes
Copy link
Member

@gpshead gpshead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's rather sad that the number format used within tar files even explicitly allows a way to express negative values. is there even a use case for that in the file format(s)?

@gpshead gpshead added needs backport to 3.9 needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes and removed needs backport to 3.9 needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jul 25, 2025
@gpshead
Copy link
Member

gpshead commented Jul 25, 2025
edited
Loading

Please cherry pick this commit to your branch (mispaste fixed): aa57b01

we don't want a whatsnew entry for this; whats new is for major features not bugfixes. a whatsnew entry makes backporting a chore (thus me removing the auto-backport labels for now)

(github is refusing to let me push changes to your branch. Please always allow maintainers to push edits to PR branches.)

@gpshead
Copy link
Member

gpshead commented Jul 25, 2025

(corrected mispasted commit link above)

@gpshead gpshead self-assigned this Jul 25, 2025
@aeurielesn
Copy link
Contributor Author

aeurielesn commented Jul 26, 2025

I enabled the allow edits to avoid any further issues and I cherry-picked the commit from your personal fork.

@aeurielesn
Copy link
Contributor Author

aeurielesn commented Jul 26, 2025

By the way, thanks for the clarifications on the process 👍

This was referenced Aug 18, 2025
Merged
Merged
Closed
Merged
Agent-Hellboy pushed a commit to Agent-Hellboy/cpython that referenced this pull request Aug 19, 2025
@aeurielesn @gpshead @Agent-Hellboy
pythongh-130577: tarfile now validates archives to ensure member offs…
ab78453 
…ets are non-negative (pythonGH-137027)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
@github-actions github-actions bot mentioned this pull request Aug 19, 2025
Merged
pablogsal pushed a commit that referenced this pull request Aug 19, 2025
@miss-islington @aeurielesn @gpshead
[3.11] gh-130577: tarfile now validates archives to ensure member off…
b4ec174 
…sets are non-negative (GH-137027) (#137172)

gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-bot
Copy link

bedevere-bot commented Aug 19, 2025

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot s390x RHEL9 Refleaks 3.11 (tier-3) has failed when building commit b4ec174.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1586/builds/63) and take a look at the build logs.
  4. Check if the failure is related to this commit (b4ec174) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1586/builds/63

Failed tests:

  • test_typing

Test leaking resources:

  • test_typing: memory blocks

Summary of the results of the build (if available):

==

Click to see traceback logs 
remote: Enumerating objects: 11, done.        
remote: Counting objects:  14% (1/7)        
remote: Counting objects:  28% (2/7)        
remote: Counting objects:  42% (3/7)        
remote: Counting objects:  57% (4/7)        
remote: Counting objects:  71% (5/7)        
remote: Counting objects:  85% (6/7)        
remote: Counting objects: 100% (7/7)        
remote: Counting objects: 100% (7/7), done.        
remote: Compressing objects:  25% (1/4)        
remote: Compressing objects:  50% (2/4)        
remote: Compressing objects:  75% (3/4)        
remote: Compressing objects: 100% (4/4)        
remote: Compressing objects: 100% (4/4), done.        
remote: Total 11 (delta 3), reused 3 (delta 3), pack-reused 4 (from 2)        
From https://github.com/python/cpython
 * branch                    3.11       -> FETCH_HEAD
Note: switching to 'b4ec17488eedec36d3c05fec127df71c0071f6cb'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at b4ec17488ee [3.11] gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) (#137172)
Switched to and reset branch '3.11'

renaming build/scripts-3.11/pydoc3 to build/scripts-3.11/pydoc3.11
renaming build/scripts-3.11/idle3 to build/scripts-3.11/idle3.11
renaming build/scripts-3.11/2to3 to build/scripts-3.11/2to3-3.11

renaming build/scripts-3.11/pydoc3 to build/scripts-3.11/pydoc3.11
renaming build/scripts-3.11/idle3 to build/scripts-3.11/idle3.11
renaming build/scripts-3.11/2to3 to build/scripts-3.11/2to3-3.11

renaming build/scripts-3.11/pydoc3 to build/scripts-3.11/pydoc3.11
renaming build/scripts-3.11/idle3 to build/scripts-3.11/idle3.11
renaming build/scripts-3.11/2to3 to build/scripts-3.11/2to3-3.11
make: *** [Makefile:1852: buildbottest] Error 2

This was referenced Aug 20, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@dimaqq
Copy link
Contributor

dimaqq commented Aug 26, 2025

I wonder if similar treatment is needed for e.g. offset/numbytes in the TNUYPE_SPARSE processing arc. And perhaps origsize too?

This was referenced Aug 27, 2025
Merged
Merged
Merged
Merged
@picnixz picnixz mentioned this pull request Aug 28, 2025
Open
This was referenced Aug 28, 2025
Merged
Merged
pablogsal pushed a commit that referenced this pull request Sep 2, 2025
@vstinner @aeurielesn @gpshead
[3.10] gh-130577: tarfile now validates archives to ensure member off…
57f5981 
…sets are non-negative (GH-137027) (#137644)

gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)


(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
kumaraditya303 pushed a commit to miss-islington/cpython that referenced this pull request Sep 9, 2025
@miss-islington @aeurielesn
@gpshead @kumaraditya303
[3.14] pythongh-130577: tarfile now validates archives to ensure memb…
7057dcb 
…er offsets are non-negative (pythonGH-137027) (python#137169)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull request Sep 13, 2025
@vstinner @aeurielesn @gpshead
[3.9] gh-130577: tarfile now validates archives to ensure member offs…
73f03e4 
…ets are non-negative (GH-137027) (GH-137645)

gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)

(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
hroncok pushed a commit to fedora-python/cpython that referenced this pull request Feb 3, 2026
@aeurielesn @gpshead @hroncok
00467: tarfile CVE-2025-8194
31cf6cf 
tarfile now validates archives to ensure member offsets are non-negative (pythonGH-137027)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead gpshead approved these changes

@ethanfurman ethanfurman ethanfurman approved these changes

@sethmlarson sethmlarson sethmlarson approved these changes

Assignees

@gpshead gpshead

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@aeurielesn @gpshead @bedevere-bot @dimaqq @ethanfurman @sethmlarson