Closed
Description
Bug description:
Public issue for fixing CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, and CVE-2024-12718. See full advisory on security-announce.
[edit @encukou]: Also addresses CVE-2025-4435. Sorry for leaving that out of the commit messages.
CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Linked PRs
- gh-135034: Normalize link targets in tarfile, add
os.path.realpath(strict='allow_missing')#135037 - [3.13] gh-135034: Normalize link targets in tarfile, add
os.path.realpath(strict='allow_missing')(GH-135037) #135064 - [3.14] gh-135034: Normalize link targets in tarfile, add
os.path.realpath(strict='allow_missing')(gh-135037) #135065 - [3.12] gh-135034: Normalize link targets in tarfile, add
os.path.realpath(strict='allow_missing')(GH-135037) #135066 - [3.11] gh-135034: Normalize link targets in tarfile, add
os.path.realpath(strict='allow_missing')(GH-135037) #135068 - [3.10] gh-135034: Normalize link targets in tarfile, add
os.path.realpath(strict='allow_missing')(GH-135037) #135070 - [3.9] gh-135034: Normalize link targets in tarfile, add
os.path.realpath(strict='allow_missing')(GH-135037) #135084 - [3.12] gh-135034: Remove test_realpath_permission #135093