Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[3.11] gh-135034: Normalize link targets in tarfile, addos.path.realpath(strict='allow_missing') (GH-135037)#135068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
ambv merged 8 commits intopython:3.11fromYhg1s:backport-c358142-3.11
Jun 3, 2025

Conversation

Yhg1s
Copy link
Member

@Yhg1sYhg1s commentedJun 3, 2025
edited
Loading

Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit3612d8f)

Co-authored-by: Łukasz Langalukasz@langa.pl
Co-authored-by: Petr Viktorinencukou@gmail.com
Co-authored-by: Seth Michael Larsonseth@python.org
Co-authored-by: Adam Turner9087854+AA-Turner@users.noreply.github.com
Co-authored-by: Serhiy Storchakastorchaka@gmail.com

📚 Documentation preview 📚:https://cpython-previews--135068.org.readthedocs.build/

ambvand others added2 commitsJune 3, 2025 13:35
…th.realpath(strict='allow_missing')` (pythonGH-135037)Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.(cherry picked from commit3612d8f)(cherry picked from commitc358142)Co-authored-by: Łukasz Langa <lukasz@langa.pl>Signed-off-by: Łukasz Langa <lukasz@langa.pl>Co-authored-by: Petr Viktorin <encukou@gmail.com>Co-authored-by: Seth Michael Larson <seth@python.org>Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@ambvambv merged commit4633f3f intopython:3.11Jun 3, 2025
24 checks passed
@kulikjak
Copy link
Contributor

After this update, I am getting the following test failure:

======================================================================ERROR:test_realpath_limit_attack (test.test_tarfile.TestExtractionFilters.test_realpath_limit_attack) [fully_trusted]----------------------------------------------------------------------Traceback (most recent call last):  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/test/test_tarfile.py", line3669, intest_realpath_limit_attackwith (self.subTest('fully_trusted'),  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/contextlib.py", line137, in__enter__returnnext(self.gen)^^^^^^^^^^^^^^  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/test/test_tarfile.py", line3458, incheck_contextself.expected_paths=set(self.outerdir.glob('**/*'))^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/pathlib.py", line958, inglobfor pin selector.select_from(self):  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/pathlib.py", line411, in_select_fromfor starting_pointinself._iterate_directories(parent_path, is_dir, scandir):  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/pathlib.py", line401, in_iterate_directoriesfor pinself._iterate_directories(path, is_dir, scandir):  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/pathlib.py", line401, in_iterate_directoriesfor pinself._iterate_directories(path, is_dir, scandir):  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/pathlib.py", line401, in_iterate_directoriesfor pinself._iterate_directories(path, is_dir, scandir):  [Previous line repeated 14 more times]  File"/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/Python-3.11.13/Lib/pathlib.py", line395, in_iterate_directories    entry_is_dir= entry.is_dir(follow_symlinks=False)^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^OSError:[Errno 78] File name too long: '/builds/jkulik/python-3.13.4-3.11.13-3.9.23/components/python/python311/build/amd64/build/test_python_22904æ/@test_22904_tmpæ-tardir/outerdir/dest/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/ddddddddddddddddddddddddddddddddddddddddddddddddddd/llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll'

Interestingly, it's just 3.11.13 that's failing - both 3.9.23 and 3.13.4 (and all other supported versions we are running in our internal buildbot) pass. 3.13 has a very different pathlib implementation, but 3.9 is pretty similar so I investigated the differences, and when I print the entires from here (_iterate_directories3.9 /3.11):

            with scandir(parent_path) as scandir_it:                entries = list(scandir_it)

I get very different results:
3.9:

[<DirEntry 'newfile'>, <DirEntry 'flag'>, <DirEntry 'dest'>][<DirEntry 'a'>, <DirEntry 'flaglink'>, <DirEntry 'escape'>]

3.11:

[<DirEntry 'dest'>, <DirEntry 'flag'>, <DirEntry 'newfile'>][<DirEntry 'a'>, <DirEntry 'escape'>, <DirEntry 'flaglink'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'b'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'c'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>, <DirEntry 'd'>][<DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>, <DirEntry 'e'>][<DirEntry 'f'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'g'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>, <DirEntry 'h'>][<DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>, <DirEntry 'i'>][<DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>, <DirEntry 'j'>][<DirEntry 'k'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'l'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'm'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'n'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'o'>, <DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>][<DirEntry 'ddddddddddddddddddddddddddddddddddddddddddddddddddd'>, <DirEntry 'p'>][<DirEntry 'llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll'>]

Also, thescandir argument is different:
3.9:<built-in function scandir>
3.11:<function Path._scandir at 0x7fed9bd923e0>
so I guess that those implementations behave differently (the 3.11 one returns much more entires), which causes the failure?

This is on Oracle Solaris.

@encukou
Copy link
Member

Ah! We got the same test failure in 3.10, so I hotfixed it there. Try applying the hack to 3.11:dff62a1

It's just a test failure: if the filter isfully_trusted, this archive unpacks to avery interesting directory tree -- one that this version ofPath.glob can't handle. And we call glob in the tests to get data for the assertions.

kulikjak reacted with hooray emoji

@kulikjak
Copy link
Contributor

kulikjak commentedJun 4, 2025
edited
Loading

Oh, that fixed it. Thanks!

(i didn't realize that this difference between 3.9 and 3.11 is what causes the issue)

@DimNik9
Copy link

Hello, sorry to ask directly here but i haven't understood how 3.10 & 3.11 are affected by these CVEs, since the description of each CVE states that ONLY versions after 3.12 are affected, since the extraction filters were first introduced in 3.12
Thank you in advance

@encukou
Copy link
Member

yeah, looks like the CVE text needs an update :(
cc@sethmlarson
The feature wasbackported to 3.8.17, 3.9.17, 3.10.12, 3.11.4

sethmlarson reacted with thumbs up emoji

@sethmlarson
Copy link
Contributor

@encukou Gotcha, I didn't realize that filtering had been backported, I'll update the prose description in each document. The affectedness of the CVEs is correct thankfully :)

@sethmlarson
Copy link
Contributor

Updated the CVE records and sent a correction tosecurity-announce@python.org.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@encukouencukouencukou approved these changes

@ethanfurmanethanfurmanAwaiting requested review from ethanfurmanethanfurman is a code owner

@ambvambvAwaiting requested review from ambv

@pablogsalpablogsalAwaiting requested review from pablogsal

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

6 participants
@Yhg1s@kulikjak@encukou@DimNik9@sethmlarson@ambv
[8]ページ先頭
©2009-2025 Movatter.jp