Security fix for CVE-2025-8194

Resolves: RHEL-106333
2025-08-11 13:32:59 +02:00 · 2025-08-11 13:32:59 +02:00 · f59b8f1717
commit f59b8f1717
parent 6e9b200e35
2 changed files with 227 additions and 1 deletions
--- a/00467-tarfile-cve-2025-8194.patch
+++ b/00467-tarfile-cve-2025-8194.patch
@ -0,0 +1,215 @@
 From 738482c8b9a8a8f3ccdb678ad508a86d702a6751 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Mon, 11 Aug 2025 13:39:27 +0200
 Subject: [PATCH] 00467: tarfile CVE-2025-8194
 tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 ---
 Lib/tarfile.py                                |   3 +
 Lib/test/test_tarfile.py                      | 156 ++++++++++++++++++
 ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst |   3 +
 3 files changed, 162 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
 index 7d94b5c..3e03ebf 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
@@ -1589,6 +1589,9 @@ class TarInfo(object):
         """Round up a byte count by BLOCKSIZE and return it,
            e.g. _block(834) => 1024.
         """
 +        # Only non-negative offsets are allowed
 +        if count < 0:
 +            raise InvalidHeaderError("invalid offset")
         blocks, remainder = divmod(count, BLOCKSIZE)
         if remainder:
             blocks += 1
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
 index 01da819..0a7586a 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
@@ -43,6 +43,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2")
 xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
 tmpname = os.path.join(TEMPDIR, "tmp.tar")
 dotlessname = os.path.join(TEMPDIR, "testtar")
 +SPACE = b" "
 sha256_regtype = (
     "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
@@ -4018,6 +4019,161 @@ class TestExtractionFilters(unittest.TestCase):
                 self.check_trusted_default(tar, tempdir)
 +class OffsetValidationTests(unittest.TestCase):
 +    tarname = tmpname
 +    invalid_posix_header = (
 +        # name: 100 bytes
 +        tarfile.NUL * tarfile.LENGTH_NAME
 +        # mode, space, null terminator: 8 bytes
 +        + b"000755" + SPACE + tarfile.NUL
 +        # uid, space, null terminator: 8 bytes
 +        + b"000001" + SPACE + tarfile.NUL
 +        # gid, space, null terminator: 8 bytes
 +        + b"000001" + SPACE + tarfile.NUL
 +        # size, space: 12 bytes
 +        + b"\xff" * 11 + SPACE
 +        # mtime, space: 12 bytes
 +        + tarfile.NUL * 11 + SPACE
 +        # chksum: 8 bytes
 +        + b"0011407" + tarfile.NUL
 +        # type: 1 byte
 +        + tarfile.REGTYPE
 +        # linkname: 100 bytes
 +        + tarfile.NUL * tarfile.LENGTH_LINK
 +        # magic: 6 bytes, version: 2 bytes
 +        + tarfile.POSIX_MAGIC
 +        # uname: 32 bytes
 +        + tarfile.NUL * 32
 +        # gname: 32 bytes
 +        + tarfile.NUL * 32
 +        # devmajor, space, null terminator: 8 bytes
 +        + tarfile.NUL * 6 + SPACE + tarfile.NUL
 +        # devminor, space, null terminator: 8 bytes
 +        + tarfile.NUL * 6 + SPACE + tarfile.NUL
 +        # prefix: 155 bytes
 +        + tarfile.NUL * tarfile.LENGTH_PREFIX
 +        # padding: 12 bytes
 +        + tarfile.NUL * 12
 +    )
 +    invalid_gnu_header = (
 +        # name: 100 bytes
 +        tarfile.NUL * tarfile.LENGTH_NAME
 +        # mode, null terminator: 8 bytes
 +        + b"0000755" + tarfile.NUL
 +        # uid, null terminator: 8 bytes
 +        + b"0000001" + tarfile.NUL
 +        # gid, space, null terminator: 8 bytes
 +        + b"0000001" + tarfile.NUL
 +        # size, space: 12 bytes
 +        + b"\xff" * 11 + SPACE
 +        # mtime, space: 12 bytes
 +        + tarfile.NUL * 11 + SPACE
 +        # chksum: 8 bytes
 +        + b"0011327" + tarfile.NUL
 +        # type: 1 byte
 +        + tarfile.REGTYPE
 +        # linkname: 100 bytes
 +        + tarfile.NUL * tarfile.LENGTH_LINK
 +        # magic: 8 bytes
 +        + tarfile.GNU_MAGIC
 +        # uname: 32 bytes
 +        + tarfile.NUL * 32
 +        # gname: 32 bytes
 +        + tarfile.NUL * 32
 +        # devmajor, null terminator: 8 bytes
 +        + tarfile.NUL * 8
 +        # devminor, null terminator: 8 bytes
 +        + tarfile.NUL * 8
 +        # padding: 167 bytes
 +        + tarfile.NUL * 167
 +    )
 +    invalid_v7_header = (
 +        # name: 100 bytes
 +        tarfile.NUL * tarfile.LENGTH_NAME
 +        # mode, space, null terminator: 8 bytes
 +        + b"000755" + SPACE + tarfile.NUL
 +        # uid, space, null terminator: 8 bytes
 +        + b"000001" + SPACE + tarfile.NUL
 +        # gid, space, null terminator: 8 bytes
 +        + b"000001" + SPACE + tarfile.NUL
 +        # size, space: 12 bytes
 +        + b"\xff" * 11 + SPACE
 +        # mtime, space: 12 bytes
 +        + tarfile.NUL * 11 + SPACE
 +        # chksum: 8 bytes
 +        + b"0010070" + tarfile.NUL
 +        # type: 1 byte
 +        + tarfile.REGTYPE
 +        # linkname: 100 bytes
 +        + tarfile.NUL * tarfile.LENGTH_LINK
 +        # padding: 255 bytes
 +        + tarfile.NUL * 255
 +    )
 +    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
 +    data_block = b"\xff" * tarfile.BLOCKSIZE
 +
 +    def _write_buffer(self, buffer):
 +        with open(self.tarname, "wb") as f:
 +            f.write(buffer)
 +
 +    def _get_members(self, ignore_zeros=None):
 +        with open(self.tarname, "rb") as f:
 +            with tarfile.open(
 +                mode="r", fileobj=f, ignore_zeros=ignore_zeros
 +            ) as tar:
 +                return tar.getmembers()
 +
 +    def _assert_raises_read_error_exception(self):
 +        with self.assertRaisesRegex(
 +            tarfile.ReadError, "file could not be opened successfully"
 +        ):
 +            self._get_members()
 +
 +    def test_invalid_offset_header_validations(self):
 +        for tar_format, invalid_header in (
 +            ("posix", self.invalid_posix_header),
 +            ("gnu", self.invalid_gnu_header),
 +            ("v7", self.invalid_v7_header),
 +        ):
 +            with self.subTest(format=tar_format):
 +                self._write_buffer(invalid_header)
 +                self._assert_raises_read_error_exception()
 +
 +    def test_early_stop_at_invalid_offset_header(self):
 +        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
 +        self._write_buffer(buffer)
 +        members = self._get_members()
 +        self.assertEqual(len(members), 1)
 +        self.assertEqual(members[0].name, "filename")
 +        self.assertEqual(members[0].offset, 0)
 +
 +    def test_ignore_invalid_archive(self):
 +        # 3 invalid headers with their respective data
 +        buffer = (self.invalid_gnu_header + self.data_block) * 3
 +        self._write_buffer(buffer)
 +        members = self._get_members(ignore_zeros=True)
 +        self.assertEqual(len(members), 0)
 +
 +    def test_ignore_invalid_offset_headers(self):
 +        for first_block, second_block, expected_offset in (
 +            (
 +                (self.valid_gnu_header),
 +                (self.invalid_gnu_header + self.data_block),
 +                0,
 +            ),
 +            (
 +                (self.invalid_gnu_header + self.data_block),
 +                (self.valid_gnu_header),
 +                1024,
 +            ),
 +        ):
 +            self._write_buffer(first_block + second_block)
 +            members = self._get_members(ignore_zeros=True)
 +            self.assertEqual(len(members), 1)
 +            self.assertEqual(members[0].name, "filename")
 +            self.assertEqual(members[0].offset, expected_offset)
 +
 +
 def setUpModule():
     support.unlink(TEMPDIR)
     os.makedirs(TEMPDIR)
 diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
 new file mode 100644
 index 0000000..342cabb
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
@@ -0,0 +1,3 @@
 +:mod:`tarfile` now validates archives to ensure member offsets are
 +non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
 +:gh:`130577`.)
 -- 
 2.50.1
--- a/python3.spec
+++ b/python3.spec
@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 70%{?dist}
+Release: 71%{?dist}
 License: Python
@ -935,6 +935,12 @@ Patch444: 00444-security-fix-for-cve-2024-11168.patch
 # - downstream only patch that makes the changes work and compatible with Python 3.6
 Patch465: 00465-tarfile-cves.patch
 # 00467 #
 # tarfile CVE-2025-8194
 #
 # tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
 Patch467: 00467-tarfile-cve-2025-8194.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1305,6 +1311,7 @@ GIT_DIR=$PWD git apply %{PATCH351}
 %patch443 -p1
 %patch444 -p1
 %patch465 -p1
 %patch467 -p1
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@ -2236,6 +2243,10 @@ fi
 # ======================================================
 %changelog
 * Mon Aug 11 2025 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-71
 - Security fix for CVE-2025-8194
 Resolves: RHEL-106333
 * Tue Jun 24 2025 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-70
 - Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435
 Resolves: RHEL-98030, RHEL-97987, RHEL-98232, RHEL-98065, RHEL-98189