Skip to content

[3.9] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (GH-135037)#135084

Merged
ambv merged 8 commits into
python:3.9from
Yhg1s:backport-3612d8f-3.9
Jun 3, 2025
Merged

[3.9] gh-135034: Normalize link targets in tarfile, add os.path.realpath(strict='allow_missing') (GH-135037)#135084
ambv merged 8 commits into
python:3.9from
Yhg1s:backport-3612d8f-3.9

Conversation

@Yhg1s

@Yhg1s Yhg1s commented Jun 3, 2025

Copy link
Copy Markdown
Member

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa lukasz@langa.pl
Co-authored-by: Petr Viktorin encukou@gmail.com
Co-authored-by: Seth Michael Larson seth@python.org
Co-authored-by: Adam Turner 9087854+AA-Turner@users.noreply.github.com
Co-authored-by: Serhiy Storchaka storchaka@gmail.com

…h.realpath(strict='allow_missing')` (pythonGH-135037)

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Comment thread Doc/whatsnew/3.9.rst Outdated
the CVE-2023-27043 fix.)


Notable changes in 3.10.18

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👀

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, patch level of 3.9 is so big it overflowed.

@ambv ambv merged commit dd8f187 into python:3.9 Jun 3, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants