CVE-2026-11940: fix the symlink escape via tarfile hardlink-extraction fallback (bsc#1268977)

Adds: CVE-2026-11940-tarfile-escape.patch
This commit is contained in:
2026-07-02 11:59:41 +02:00
parent e85e112091
commit 5a7ba243d3
3 changed files with 82 additions and 0 deletions
+7
View File
@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Jul 1 23:10:26 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
- CVE-2026-11940: fix the symlink escape via tarfile
hardlink-extraction fallback (bsc#1268977)
CVE-2026-11940-tarfile-escape.patch
-------------------------------------------------------------------
Mon Jun 29 06:37:10 UTC 2026 - Jiri Slaby <jslaby@suse.cz>
+3
View File
@@ -232,6 +232,9 @@ Patch46: CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch
# PATCH-FIX-UPSTREAM CVE-2026-6019-Morsel-js_output.patch bsc#1262654 mcepl@suse.com
# Base64-encode cookie values embedded in JS
Patch47: CVE-2026-6019-Morsel-js_output.patch
# PATCH-FIX-UPSTREAM CVE-2026-11940-tarfile-escape.patch bsc#1268977 mcepl@suse.com
# Fix symlink escape via tarfile hardlink-extraction fallback
Patch48: CVE-2026-11940-tarfile-escape.patch
### END OF PATCHES
BuildRequires: autoconf-archive
BuildRequires: automake
+72
View File
@@ -0,0 +1,72 @@
From 8947727186fff1897329325d690af832a5d38e4a Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Tue, 23 Jun 2026 14:31:38 +0100
Subject: [PATCH 1/2] gh-151558: Fix symlink escape via `tarfile`
hardlink-extraction fallback (GH-151559) (cherry picked from commit
27dd970bf6b17ebca7c8ed486a40ab043ed7af8f)
Co-authored-by: Stan Ulbrych <stan@python.org>
---
Lib/tarfile.py | 3 +
Lib/test/test_tarfile.py | 24 ++++++++++
Misc/NEWS.d/next/Security/2026-06-10-13-08-19.gh-issue-151558.mL74i2.rst | 3 +
3 files changed, 30 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-06-10-13-08-19.gh-issue-151558.mL74i2.rst
Index: Python-3.11.15/Lib/tarfile.py
===================================================================
--- Python-3.11.15.orig/Lib/tarfile.py 2026-07-02 12:09:33.732145754 +0200
+++ Python-3.11.15/Lib/tarfile.py 2026-07-02 12:09:33.864108270 +0200
@@ -2662,6 +2662,9 @@
"makelink_with_filter: if filter_function is not None, "
+ "extraction_root must also not be None")
try:
+ filter_function(
+ unfiltered.replace(name=tarinfo.name, deep=False),
+ extraction_root)
filtered = filter_function(unfiltered, extraction_root)
except _FILTER_ERRORS as cause:
raise LinkFallbackError(tarinfo, unfiltered.name) from cause
Index: Python-3.11.15/Lib/test/test_tarfile.py
===================================================================
--- Python-3.11.15.orig/Lib/test/test_tarfile.py 2026-07-02 12:09:33.733105801 +0200
+++ Python-3.11.15/Lib/test/test_tarfile.py 2026-07-02 12:09:33.864793876 +0200
@@ -3999,6 +3999,30 @@
self.expect_file("c", symlink_to='b')
@symlink_test
+ def test_sneaky_hardlink_fallback_deep(self):
+ # (CVE-2026-11940)
+ with ArchiveMaker() as arc:
+ arc.add("a/b/s", symlink_to=os.path.join("..", "escape"))
+ arc.add("s", hardlink_to=os.path.join("a", "b", "s"))
+
+ with self.check_context(arc.open(), 'data'):
+ e = self.expect_exception(
+ tarfile.LinkFallbackError,
+ "link 's' would be extracted as a copy of "
+ + "'a/b/s', which was rejected")
+ self.assertIsInstance(e.__cause__,
+ tarfile.LinkOutsideDestinationError)
+
+ for filter in 'tar', 'fully_trusted':
+ with self.subTest(filter), self.check_context(arc.open(), filter):
+ if not os_helper.can_symlink():
+ self.expect_file("a/")
+ self.expect_file("a/b/")
+ else:
+ self.expect_file("a/b/s", symlink_to=os.path.join('..', 'escape'))
+ self.expect_file("s", symlink_to=os.path.join('..', 'escape'))
+
+ @symlink_test
def test_exfiltration_via_symlink(self):
# (CVE-2025-4138)
# Test changing symlinks that result in a symlink pointing outside
Index: Python-3.11.15/Misc/NEWS.d/next/Security/2026-06-10-13-08-19.gh-issue-151558.mL74i2.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.11.15/Misc/NEWS.d/next/Security/2026-06-10-13-08-19.gh-issue-151558.mL74i2.rst 2026-07-02 12:09:33.865970015 +0200
@@ -0,0 +1,3 @@
+Fixed an vulnerability in the :mod:`tarfile` ``data`` and ``tar`` extraction
+filters where crafted archives could create a symlink pointing outside the
+destination directory. This was a bypass of CVE-2025-4330.