Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <94d43c9f-1280-4247-bef2-556190620d84@wichmann.us>
Date: Mon, 28 Jul 2025 17:00:29 -0600
From: Mats Wichmann <mats@...hmann.us>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd:[CVE-2025-8194] Cpython Tarfile infinite loop
 during parsing with negative member offset

On 7/28/25 13:55, Alan Coopersmith forwarded a cPython security issue:

some unfortunate glitches here. first, a template failure:

> There is a HIGH severity vulnerability affecting {project}.

second and third:

> Please see the linked CVE ID for the latest information on affected 
> versions:
> 
> * https://www.cve.org/CVERecord?id=CVE-2025-8194
The CVE contents suggest nothing is broken:

 > affected

 >    affected from 0 before 3.14.0

(3.14 still being unreleased).  But patches for this were backported to 
all supported cPython versions, so the effect must be a bit wider than that.


And in the cve record itself, the patch suggestion comes out mangled.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.