python-interpreters/python311
SHA256
6
0
Fork 0
forked from pool/python311
Code Pull Requests Activity

update the patch

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=192
This commit is contained in:
Matej Cepl
2025-08-01 20:22:03 +00:00
committed by Git OBS Bridge
parent c46ea90100
commit ed20f76271
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
CVE-2025-8194-tarfile-no-neg-offsets.patch
View File

@@ -1,4 +1,4 @@
From 28d130238bfb5604eef4b594d597f7b5ec951eba Mon Sep 17 00:00:00 2001
From cb3519590c62f9b1abf7f31b92ec37d4b725ce15 Mon Sep 17 00:00:00 2001
From: Alexander Urieles <aeurielesn@users.noreply.github.com>
Date: Mon, 28 Jul 2025 17:37:26 +0200
Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member
@@ -16,8 +16,8 @@ Co-authored-by: Gregory P. Smith <greg@krypto.org>
Index: Python-3.11.13/Lib/tarfile.py
===================================================================
--- Python-3.11.13.orig/Lib/tarfile.py 2025-08-01 22:17:38.141397067 +0200
+++ Python-3.11.13/Lib/tarfile.py 2025-08-01 22:17:42.375160009 +0200
--- Python-3.11.13.orig/Lib/tarfile.py 2025-08-01 22:21:29.158050900 +0200
+++ Python-3.11.13/Lib/tarfile.py 2025-08-01 22:21:33.121079687 +0200
@@ -1613,6 +1613,9 @@
"""Round up a byte count by BLOCKSIZE and return it,
e.g. _block(834) => 1024.
@@ -30,8 +30,8 @@ Index: Python-3.11.13/Lib/tarfile.py
blocks += 1
Index: Python-3.11.13/Lib/test/test_tarfile.py
===================================================================
--- Python-3.11.13.orig/Lib/test/test_tarfile.py 2025-08-01 22:17:39.582120870 +0200
+++ Python-3.11.13/Lib/test/test_tarfile.py 2025-08-01 22:17:42.375846065 +0200
--- Python-3.11.13.orig/Lib/test/test_tarfile.py 2025-08-01 22:21:30.644301786 +0200
+++ Python-3.11.13/Lib/test/test_tarfile.py 2025-08-01 22:21:33.121718600 +0200
@@ -50,6 +50,7 @@
xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
tmpname = os.path.join(TEMPDIR, "tmp.tar")
@@ -205,7 +205,7 @@ Index: Python-3.11.13/Lib/test/test_tarfile.py
Index: Python-3.11.13/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.11.13/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst 2025-08-01 22:17:42.376340965 +0200
+++ Python-3.11.13/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst 2025-08-01 22:21:33.122108946 +0200
@@ -0,0 +1,3 @@
+:mod:`tarfile` now validates archives to ensure member offsets are
+non-negative. (Contributed by Alexander Enrique Urieles Nieto in