Bug 2459774 (CVE-2026-3219)

Summary: CVE-2026-3219 pip: pip: Incorrect file installation due to improper archive handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, adudiak, alinfoot, alizardo, anpicker, anthomas, aprice, bbrownin, bdettelb, bparees, brasmith, caswilli, cochase, derez, dfreiber, doconnor, dranck, drow, dschmidt, dtrifiro, eborisov, ebourniv, eglynn, ehelms, erezende, ggainey, gtanzill, hasun, jburrell, jbuscemi, jchui, jdobes, jfula, jhe, jjoyce, jkoehler, jlanda, jmitchel, jowilson, jsamir, juwatts, jwong, kaycoth, kbempah, kgaikwad, kshier, ktsao, lball, lgallett, ljawale, lphiri, luizcosta, mburns, mgarciac, mhulan, mrunge, nboldt, ngough, nmoumoul, nweather, nyancey, oaljalju, oezr, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pcreech, psrna, ptisnovs, rbobbitt, rbryant, rchan, rjohnson, sbunciak, sdawley, simaishi, smallamp, smcdonal, solenoci, stcannon, sthirugn, syedriko, teagle, tmalecek, ttakamiy, veshanka, vimartin, vkumar, weaton, xdharmai, yguenane, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an attacker to influence the installation process by providing a specially crafted archive.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2461289, 2461290, 2461288    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-20 16:02:17 UTC 
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.