Opened 7 months ago
Closed 6 months ago
#21895 closed enhancement (fixed)
Python3 - Cpython Tarfile infinite loop during parsing with negative member offset (CVE-2025-8194)
| Reported by: | Joe Locash | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
This is rated as high.
More info can be found @ https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/ and https://www.cve.org/CVERecord?id=CVE-2025-8194
MR to fix it in 3.13: https://github.com/python/cpython/pull/137170 (merged)
Change History (4)
comment:1 by , 7 months ago
comment:2 by , 7 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 6 months ago
This sed works:
sed -e '/Round/{n;n;a\
# Only non-negative offsets are allowed\
if count < 0:\
raise InvalidHeaderError("invalid offset")
}' -i Lib/tarfile.py
Spaces count.
comment:4 by , 6 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 33a22801e6213e9b449cd20d556a4e0c20199b1e
SA-12.3-087 issued
Note:
See TracTickets
for help on using tickets.
There appear to be three files in this fix:
But for our purposes we really only need:
diff --git a/Lib/tarfile.py b/Lib/tarfile.py index 80d8644af86f74..45f58eb8ac93cf 100644 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -1647,6 +1647,9 @@ def _block(self, count): """Round up a byte count by BLOCKSIZE and return it, e.g. _block(834) => 1024. """ + # Only non-negative offsets are allowed + if count < 0: + raise InvalidHeaderError("invalid offset") blocks, remainder = divmod(count, BLOCKSIZE) if remainder: blocks += 1This can be done with a sed. Is this sufficient?
It will need to go into both LFS and BLFS.