CVE-2025-13462

NameCVE-2025-13462
DescriptionThe "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python2.7 (PTS)bullseye2.7.18-8+deb11u1vulnerable
python3.11 (PTS)bookworm3.11.2-6+deb12u6vulnerable
bookworm (security)3.11.2-6+deb12u3vulnerable
python3.13 (PTS)trixie3.13.5-2vulnerable
forky, sid3.13.12-1vulnerable
python3.14 (PTS)forky3.14.3-3vulnerable
sid3.14.3-5fixed
python3.9 (PTS)bullseye3.9.2-1vulnerable
bullseye (security)3.9.2-1+deb11u5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python2.7sourcebullseye(unfixed)end-of-life
python2.7source(unstable)(unfixed)
python3.11source(unstable)(unfixed)
python3.13source(unstable)(unfixed)
python3.14source(unstable)3.14.3-4
python3.9source(unstable)(unfixed)

Notes

[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/
https://github.com/python/cpython/issues/141707
https://github.com/python/cpython/pull/143934
https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab (main)
https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017 (3.14 branch)
https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7 (3.13 branch)
Search for package or bug name: Reporting problems