Skip to content

gh-130577: tarfile now validates archives to ensure member offsets are non-negative #137027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 28, 2025
Merged

gh-130577: tarfile now validates archives to ensure member offsets are non-negative #137027

merged 3 commits into from
Jul 28, 2025

Conversation

aeurielesn
Copy link
Contributor

@aeurielesn aeurielesn commented Jul 22, 2025
edited by github-actions bot
Loading

@aeurielesn aeurielesn requested a review from ethanfurman as a code owner July 22, 2025 22:44
@bedevere-app bedevere-app bot mentioned this pull request Jul 22, 2025
Open
gpshead
gpshead approved these changes Jul 25, 2025
View reviewed changes
Copy link
Member

@gpshead gpshead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's rather sad that the number format used within tar files even explicitly allows a way to express negative values. is there even a use case for that in the file format(s)?

@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes and removed needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jul 25, 2025
@gpshead
Copy link
Member

gpshead commented Jul 25, 2025
edited
Loading

Please cherry pick this commit to your branch (mispaste fixed): aa57b01

we don't want a whatsnew entry for this; whats new is for major features not bugfixes. a whatsnew entry makes backporting a chore (thus me removing the auto-backport labels for now)

(github is refusing to let me push changes to your branch. Please always allow maintainers to push edits to PR branches.)

@gpshead
Copy link
Member

gpshead commented Jul 25, 2025

(corrected mispasted commit link above)

@gpshead gpshead self-assigned this Jul 25, 2025
@aeurielesn
Copy link
Contributor Author

I enabled the allow edits to avoid any further issues and I cherry-picked the commit from your personal fork.

@aeurielesn
Copy link
Contributor Author

By the way, thanks for the clarifications on the process 👍

@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Jul 27, 2025
@ethanfurman ethanfurman merged commit 7040aa5 into python:main Jul 28, 2025
51 checks passed
@miss-islington-app
Copy link

Thanks @aeurielesn for the PR, and @ethanfurman for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 28, 2025
@aeurielesn @gpshead @miss-islington
pythongh-130577: tarfile now validates archives to ensure member offs…
28d1302 
…ets are non-negative (pythonGH-137027)

(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 28, 2025
@aeurielesn @gpshead @miss-islington
pythongh-130577: tarfile now validates archives to ensure member offs…
fd29bcd 
…ets are non-negative (pythonGH-137027)

(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

bedevere-app bot commented Jul 28, 2025

GH-137169 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Jul 28, 2025
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 28, 2025
@aeurielesn @gpshead @miss-islington
pythongh-130577: tarfile now validates archives to ensure member offs…
8f38105 
…ets are non-negative (pythonGH-137027)

(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

bedevere-app bot commented Jul 28, 2025

GH-137170 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Jul 28, 2025
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 28, 2025
@aeurielesn @gpshead @miss-islington
pythongh-130577: tarfile now validates archives to ensure member offs…
cb35195 
…ets are non-negative (pythonGH-137027)

(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

bedevere-app bot commented Jul 28, 2025

GH-137171 is a backport of this pull request to the 3.12 branch.

@miss-islington-app
Copy link

Sorry, @aeurielesn and @ethanfurman, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 7040aa54f14676938970e10c5f74ea93cd56aa38 3.10

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Jul 28, 2025
@miss-islington-app
Copy link

Sorry, @aeurielesn and @ethanfurman, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 7040aa54f14676938970e10c5f74ea93cd56aa38 3.9

@bedevere-app
Copy link

bedevere-app bot commented Jul 28, 2025

GH-137172 is a backport of this pull request to the 3.11 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Jul 28, 2025
@gpshead gpshead added the type-security A security issue label Jul 28, 2025
gpshead added a commit that referenced this pull request Jul 28, 2025
@miss-islington @aeurielesn @gpshead
[3.13] gh-130577: tarfile now validates archives to ensure member off…
cdae923 
…sets are non-negative (GH-137027) (#137170)

gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
gpshead added a commit to gpshead/cpython that referenced this pull request Jul 28, 2025
@aeurielesn @gpshead
[3.10] pythongh-130577: tarfile now validates archives to ensure memb…
898ac93 
…er offsets are non-negative (pythonGH-137027)

(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

bedevere-app bot commented Jul 28, 2025

GH-137176 is a backport of this pull request to the 3.10 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.10 only security fixes label Jul 28, 2025
gpshead added a commit to gpshead/cpython that referenced this pull request Jul 28, 2025
@aeurielesn @gpshead
[3.9] pythongh-130577: tarfile now validates archives to ensure membe…
ea07f6b 
…r offsets are non-negative (pythonGH-137027)

(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-app
Copy link

bedevere-app bot commented Jul 28, 2025

GH-137177 is a backport of this pull request to the 3.9 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.9 only security fixes label Jul 28, 2025
hugovk pushed a commit that referenced this pull request Jul 28, 2025
@miss-islington @aeurielesn @gpshead
[3.14] gh-130577: tarfile now validates archives to ensure member off…
fbc2a0c 
…sets are non-negative (GH-137027) (#137169)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
hroncok pushed a commit to fedora-python/cpython that referenced this pull request Jul 28, 2025
@aeurielesn @gpshead @hroncok
00467: pythongh-130577: tarfile now validates archives to ensure memb…
4155dac 
…er offsets are non-negative (pythonGH-137027) (cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
hroncok pushed a commit to fedora-python/cpython that referenced this pull request Jul 28, 2025
@aeurielesn @gpshead @hroncok
00467: pythongh-130577: tarfile now validates archives to ensure memb…
6ae6a26 
…er offsets are non-negative (pythonGH-137027) (cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

@ethanfurman ethanfurman ethanfurman approved these changes

@sethmlarson sethmlarson sethmlarson approved these changes

Assignees

@gpshead gpshead

Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aeurielesn @gpshead @ethanfurman @sethmlarson