Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN665
_____________________________________________________________________

DATE                : 23/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CPython.
 
=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/LD6QIISNQFQYOIEPJNEUIPV7S3V76FZH/
_____________________________________________________________________


[CVE-2026-11940] tarfile extraction filter bypass allows escaping the
destination directory

Stan Ulbrych
23 juin 2026 10:55

There is a HIGH severity vulnerability affecting CPython.

tarfile.extractall() with the 'data' or 'tar' filter could be bypassed
by a crafted archive where a hardlink references a symlink stored at a
deeper name than the hardlink itself.  The extraction fallback validated
the symlink at it's archived location but recreated it at the hardlink's
shallower
path, letting a relative target the filter judged contained escape the
destination directory.  This allowed a malicious tar archive to create a
symlink pointing outside the destination, enabling out-of-destination file
reads or writes. This was an incomplete fix of CVE-2025-4330.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2026-11940
    https://github.com/python/cpython/pull/151559


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================