2370010 – (CVE-2025-4435) CVE-2025-4435 cpython: Tarfile extracts filtered members when errorlevel=0

Bug 2370010 (CVE-2025-4435) - CVE-2025-4435 cpython: Tarfile extracts filtered members when errorlevel=0

Summary: CVE-2025-4435 cpython: Tarfile extracts filtered members when errorlevel=0

Keywords:
Status:	NEW
Alias:	CVE-2025-4435
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2370021 2375581 2375582 2375583
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-03 14:01 UTC by OSIDB Bzimport
Modified:	2025-07-16 18:38 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2025:10198	None	None	None	2025-07-02 08:38:49 UTC
Red Hat Product Errata	RHBA-2025:10245	None	None	None	2025-07-02 14:31:44 UTC
Red Hat Product Errata	RHBA-2025:10247	None	None	None	2025-07-02 14:53:38 UTC
Red Hat Product Errata	RHBA-2025:10249	None	None	None	2025-07-02 15:04:02 UTC
Red Hat Product Errata	RHBA-2025:10261	None	None	None	2025-07-02 17:04:53 UTC
Red Hat Product Errata	RHBA-2025:10262	None	None	None	2025-07-02 17:15:11 UTC
Red Hat Product Errata	RHBA-2025:10263	None	None	None	2025-07-02 17:33:24 UTC
Red Hat Product Errata	RHBA-2025:10338	None	None	None	2025-07-07 01:00:35 UTC
Red Hat Product Errata	RHBA-2025:10339	None	None	None	2025-07-07 01:38:41 UTC
Red Hat Product Errata	RHBA-2025:10340	None	None	None	2025-07-07 02:27:48 UTC
Red Hat Product Errata	RHBA-2025:10365	None	None	None	2025-07-07 01:29:44 UTC
Red Hat Product Errata	RHBA-2025:10366	None	None	None	2025-07-07 02:18:22 UTC
Red Hat Product Errata	RHBA-2025:10367	None	None	None	2025-07-07 02:40:10 UTC
Red Hat Product Errata	RHBA-2025:10417	None	None	None	2025-07-07 13:02:18 UTC
Red Hat Product Errata	RHBA-2025:10420	None	None	None	2025-07-07 13:04:09 UTC
Red Hat Product Errata	RHBA-2025:10421	None	None	None	2025-07-07 13:09:25 UTC
Red Hat Product Errata	RHBA-2025:10422	None	None	None	2025-07-07 13:11:20 UTC
Red Hat Product Errata	RHBA-2025:10423	None	None	None	2025-07-07 13:05:03 UTC
Red Hat Product Errata	RHBA-2025:10424	None	None	None	2025-07-07 13:07:38 UTC
Red Hat Product Errata	RHBA-2025:10425	None	None	None	2025-07-07 13:12:35 UTC
Red Hat Product Errata	RHBA-2025:10426	None	None	None	2025-07-07 13:11:00 UTC
Red Hat Product Errata	RHBA-2025:10427	None	None	None	2025-07-07 13:14:33 UTC
Red Hat Product Errata	RHBA-2025:10598	None	None	None	2025-07-08 10:53:24 UTC
Red Hat Product Errata	RHBA-2025:10841	None	None	None	2025-07-14 07:01:00 UTC
Red Hat Product Errata	RHBA-2025:10843	None	None	None	2025-07-14 07:00:52 UTC
Red Hat Product Errata	RHBA-2025:11346	None	None	None	2025-07-16 18:33:07 UTC
Red Hat Product Errata	RHBA-2025:11347	None	None	None	2025-07-16 18:38:14 UTC
Red Hat Product Errata	RHSA-2025:10026	None	None	None	2025-07-01 08:39:04 UTC
Red Hat Product Errata	RHSA-2025:10028	None	None	None	2025-07-01 08:46:38 UTC
Red Hat Product Errata	RHSA-2025:10031	None	None	None	2025-07-01 09:09:52 UTC
Red Hat Product Errata	RHSA-2025:10128	None	None	None	2025-07-01 19:57:22 UTC
Red Hat Product Errata	RHSA-2025:10136	None	None	None	2025-07-01 20:48:30 UTC
Red Hat Product Errata	RHSA-2025:10140	None	None	None	2025-07-01 21:43:21 UTC
Red Hat Product Errata	RHSA-2025:10148	None	None	None	2025-07-01 21:55:56 UTC
Red Hat Product Errata	RHSA-2025:10189	None	None	None	2025-07-02 06:18:09 UTC
Red Hat Product Errata	RHSA-2025:10399	None	None	None	2025-07-07 11:15:30 UTC
Red Hat Product Errata	RHSA-2025:10484	None	None	None	2025-07-07 16:11:24 UTC
Red Hat Product Errata	RHSA-2025:10602	None	None	None	2025-07-08 11:10:49 UTC
Red Hat Product Errata	RHSA-2025:9918	None	None	None	2025-06-30 13:38:13 UTC

Description OSIDB Bzimport 2025-06-03 14:01:09 UTC

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

Comment 3 errata-xmlrpc 2025-06-30 13:38:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:9918 https://access.redhat.com/errata/RHSA-2025:9918

Comment 4 errata-xmlrpc 2025-07-01 08:39:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10026 https://access.redhat.com/errata/RHSA-2025:10026

Comment 5 errata-xmlrpc 2025-07-01 08:46:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:10028 https://access.redhat.com/errata/RHSA-2025:10028

Comment 6 errata-xmlrpc 2025-07-01 09:09:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10031 https://access.redhat.com/errata/RHSA-2025:10031

Comment 7 errata-xmlrpc 2025-07-01 19:57:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10128 https://access.redhat.com/errata/RHSA-2025:10128

Comment 8 errata-xmlrpc 2025-07-01 20:48:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10136 https://access.redhat.com/errata/RHSA-2025:10136

Comment 9 errata-xmlrpc 2025-07-01 21:43:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:10140 https://access.redhat.com/errata/RHSA-2025:10140

Comment 10 errata-xmlrpc 2025-07-01 21:55:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10148 https://access.redhat.com/errata/RHSA-2025:10148

Comment 12 errata-xmlrpc 2025-07-02 06:18:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10189 https://access.redhat.com/errata/RHSA-2025:10189

Comment 14 errata-xmlrpc 2025-07-07 11:15:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:10399 https://access.redhat.com/errata/RHSA-2025:10399

Comment 15 errata-xmlrpc 2025-07-07 16:11:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service
  Red Hat Enterprise Linux 8.6 Extended Update Support EXTENSION

Via RHSA-2025:10484 https://access.redhat.com/errata/RHSA-2025:10484

Comment 16 errata-xmlrpc 2025-07-08 11:10:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service
  Red Hat Enterprise Linux 8.8 Extended Update Support EXTENSION

Via RHSA-2025:10602 https://access.redhat.com/errata/RHSA-2025:10602

Note You need to log in before you can comment on or make changes to this bug.