Bug 2370013 (CVE-2024-12718)

Summary: CVE-2024-12718 cpython: python: Bypass extraction filter to modify file metadata outside extraction directory
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbrownin, dfreiber, drow, jburrell, ljawale, luizcosta, nweather, rbobbitt, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2370022, 2375574, 2375575, 2375576    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-03 14:01:20 UTC 
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory.
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Comment 3 errata-xmlrpc 2025-06-30 13:38:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:9918 https://access.redhat.com/errata/RHSA-2025:9918
Comment 4 errata-xmlrpc 2025-07-01 08:39:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10026 https://access.redhat.com/errata/RHSA-2025:10026
Comment 5 errata-xmlrpc 2025-07-01 08:46:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:10028 https://access.redhat.com/errata/RHSA-2025:10028
Comment 6 errata-xmlrpc 2025-07-01 09:09:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10031 https://access.redhat.com/errata/RHSA-2025:10031
Comment 7 errata-xmlrpc 2025-07-01 19:57:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10128 https://access.redhat.com/errata/RHSA-2025:10128
Comment 8 errata-xmlrpc 2025-07-01 20:48:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10136 https://access.redhat.com/errata/RHSA-2025:10136
Comment 9 errata-xmlrpc 2025-07-01 21:43:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:10140 https://access.redhat.com/errata/RHSA-2025:10140
Comment 10 errata-xmlrpc 2025-07-01 21:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10148 https://access.redhat.com/errata/RHSA-2025:10148
Comment 12 errata-xmlrpc 2025-07-02 06:18:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10189 https://access.redhat.com/errata/RHSA-2025:10189
Comment 14 errata-xmlrpc 2025-07-07 11:15:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:10399 https://access.redhat.com/errata/RHSA-2025:10399
Comment 15 errata-xmlrpc 2025-07-07 16:11:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service
  Red Hat Enterprise Linux 8.6 Extended Update Support EXTENSION

Via RHSA-2025:10484 https://access.redhat.com/errata/RHSA-2025:10484
Comment 16 errata-xmlrpc 2025-07-08 11:10:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service
  Red Hat Enterprise Linux 8.8 Extended Update Support EXTENSION

Via RHSA-2025:10602 https://access.redhat.com/errata/RHSA-2025:10602
Comment 22 errata-xmlrpc 2025-07-17 15:26:51 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2025:11386 https://access.redhat.com/errata/RHSA-2025:11386