« List of all CVEs

CVE-2025-13462

tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling

Published: 3/12/2026 Last updated: 6/4/2026 Reserved: 11/19/2025

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

CNA assigner: PSF (28c92f92-d60d-412d-b760-e73465c3df22) Requested by: n/a

Metrics

Version Score Severity Vector String
4.0 2 Low CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Opam packages affected (7)

conf-python-2-7 conf-python-2-7-dev conf-python-3 conf-python-3-7 conf-python-3-dev py termbox

Products affected (2)

Product Vendor Version
CPython Python Software Foundation n/a
CPython Python Software Foundation 6.1.x

References (18)