2431026 – (CVE-2026-23949) CVE-2026-23949 jaraco.context: jaraco.context: Path traversal via malicious tar archives

Bug 2431026 (CVE-2026-23949) - CVE-2026-23949 jaraco.context: jaraco.context: Path traversal via malicious tar archives

Summary: CVE-2026-23949 jaraco.context: jaraco.context: Path traversal via malicious t...

Keywords:
Status:	NEW
Alias:	CVE-2026-23949
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2431058 2431059 2431060 2431061
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-20 01:01 UTC by OSIDB Bzimport
Modified:	2026-01-20 03:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-20 01:01:23 UTC

jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue.

Note You need to log in before you can comment on or make changes to this bug.