Source: python-pip Version: 25.2+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/pypa/pip/pull/13550 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-pip. CVE-2025-8869[0]: | When extracting a tar archive pip may not check symbolic links point | into the extraction directory if the tarfile module doesn't | implement PEP 706. Note that upgrading pip to a "fixed" version for | this vulnerability doesn't fix all known vulnerabilities that are | remediated by using a Python version that implements PEP 706. Note | that this is a vulnerability in pip's fallback implementation of tar | extraction for Python versions that don't implement PEP 706 and | therefore are not secure to all vulnerabilities in the Python | 'tarfile' module. If you're using a Python version that implements | PEP 706 then pip doesn't use the "vulnerable" fallback code. | Mitigations include upgrading to a version of pip that includes the | fix, upgrading to a Python version that implements PEP 706 (Python | >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked | patch, or inspecting source distributions (sdists) before | installation as is already a best-practice. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-8869 https://www.cve.org/CVERecord?id=CVE-2025-8869 [1] https://github.com/pypa/pip/pull/13550 [2] https://github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a [3] https://mail.python.org/archives/list/[email protected]/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
