PT-2025-31145 · Python+9 · Cpython+10

Alexander Urieles

+3

·

Publicado

2025-07-28

·

Atualizado

2026-04-29

·

CVE-2025-8194

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:N/A:C
Nome do Software Vulnerável e Versões Afetadas Versões do CPython (versões afetadas não especificadas)
Descrição Existe um defeito no módulo "tarfile" do CPython, impactando as APIs de extração "TarFile" e de enumeração de entradas. A implementação do tar processa arquivos tar com offsets negativos sem erro, levando a um loop infinito e deadlock ao analisar arquivos tar criados de forma maliciosa.
Recomendações Inclua o seguinte patch após importar o módulo "tarfile":
python
import tarfile

def block patched(self, count):
 if count < 0: # pragma: no cover
  raise tarfile.InvalidHeaderError("invalid offset")
 return block patched. orig block(self, count)

 block patched. orig block = tarfile.TarInfo. block
tarfile.TarInfo. block = block patched

Correção

DoS

Infinite Loop

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-835

Identificadores relacionados

ALSA-2025:14546
ALSA-2025:14560
ALSA-2025:14841
ALSA-2025:14900
ALSA-2025:14984
ALSA-2025:15007
ALSA-2025:15010
ALSA-2025:15019
AZL-65984
AZL-65987
BDU:2025-09687
BIT-LIBPYTHON-2025-8194
BIT-PYTHON-2025-8194
BIT-PYTHON-MIN-2025-8194
CESA-2025_14546
CESA-2025_14560
CESA-2025_14841
CESA-2025_14900
CVE-2025-8194
ECHO-053D-4507-0279
INFSA-2025_14546
INFSA-2025_14560
INFSA-2025_14841
INFSA-2025_14900
INFSA-2025_15007
INFSA-2025_15010
INFSA-2025_15019
MGASA-2025-0280
OESA-2025-2100
OESA-2025-2101
OESA-2025-2102
OESA-2025-2103
OESA-2025-2290
OPENSUSE-SU-2025:15402-1
OPENSUSE-SU-2025:15403-1
OPENSUSE-SU-2025:15404-1
OPENSUSE-SU-2025:15407-1
OPENSUSE-SU-2025:15408-1
OPENSUSE-SU-2025:15409-1
OPENSUSE-SU-2025:15713-1
OPENSUSE-SU-2026:20081-1
PSF-2025-11
RHSA-2025:14546
RHSA-2025:14560
RHSA-2025:14841
RHSA-2025:14984
RHSA-2025:15007
RHSA-2025:15010
RHSA-2025:15019
RHSA-2025:15348
RHSA-2025:15724
RHSA-2025:15800
RHSA-2025:15968
RHSA-2025:16012
RHSA-2025:16016
RHSA-2025:16031
RHSA-2025:16062
RHSA-2025:16078
RHSA-2025:16117
RHSA-2025:16118
RHSA-2025:16151
RHSA-2025:16152
RHSA-2025:16153
RHSA-2025:16262
RHSA-2025_14546
RHSA-2025_14560
RHSA-2025_14841
RHSA-2025_14900
RHSA-2025_15007
RHSA-2025_15010
RHSA-2025_15019
SUSE-SU-2025:02700-1
SUSE-SU-2025:02701-1
SUSE-SU-2025:02717-1
SUSE-SU-2025:02767-1
SUSE-SU-2025:02778-1
SUSE-SU-2025:02787-1
SUSE-SU-2025:02802-1
SUSE-SU-2025:02948-1
SUSE-SU-2025:02982-1
SUSE-SU-2025:02983-1
SUSE-SU-2025:02984-1
SUSE-SU-2025:03032-1
SUSE-SU-2025:20631-1
SUSE-SU-2025:20749-1
SUSE-SU-2025:3706-1
SUSE-SU-2025_02717-1
SUSE-SU-2025_02778-1
SUSE-SU-2025_02802-1
SUSE-SU-2025_02983-1
SUSE-SU-2025_02984-1
SUSE-SU-2025_03032-1
SUSE-SU-2026:20125-1
SUSE-SU-2026:20154-1
USN-7710-1
USN-7710-2

Produtos afetados

Almalinux
Cpython
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Tarfile