Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN643
_____________________________________________________________________

DATE                : 25/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems using pip versions prior to 3.9.17, .

=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/
_____________________________________________________________________

CVE-2025-8869] Fallback tar extraction in pip doesn't check symbolic
links point to extraction directory


Seth Larson
24 septembre 2025 14:56

When extracting a tar archive pip may not check symbolic links point
into the extraction directory if the tarfile module doesn't implement
PEP 706. Note that upgrading pip to a "fixed" version for this
vulnerability doesn't fix all known vulnerabilities that are
remediated by using a Python version that implements PEP 706.

Note that this is a vulnerability in pip's fallback implementation
of tar extraction for Python versions that don't implement PEP 706
and therefore are not secure to all vulnerabilities in the Python
'tarfile' module. If you're using a Python version that implements
PEP 706 then pip doesn't use the "vulnerable" fallback code.
...

    =3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
inspecting

Mitigations include upgrading to a version of pip that includes the
fix, upgrading to a Python version that implements PEP 706
(Python >=3.9.17, source distributions (sdists) before installation
as is already a best-practice.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2025-8869
    https://github.com/pypa/pip/pull/13550


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================