Re: Fwd:[CVE-2025-8194] Cpython Tarfile infinite loop during parsing with negative member offset

[Seth Larson <seth () python org>]

Hello!

Thanks for bringing the formatting issue to our attention, the prose
description renders fine in the Vulnogram UI. Regarding the version range,
I believe that is correct. All Python versions (from 0 to 3.14.0) are
affected by this vulnerability. The patches that have landed in GitHub have
not yet been released. When the patches are included in a release the CVE
will automatically update with the fixed versions.

Hope this helps!

Seth Larson

On Tue, Jul 29, 2025 at 12:50 PM Mats Wichmann <mats () wichmann us> wrote:

> On 7/28/25 13:55, Alan Coopersmith forwarded a cPython security issue:
>
> some unfortunate glitches here. first, a template failure:
>
> > There is a HIGH severity vulnerability affecting {project}.
>
> second and third:
>
> > Please see the linked CVE ID for the latest information on affected
> > versions:
> >
> > * https://www.cve.org/CVERecord?id=CVE-2025-8194
> The CVE contents suggest nothing is broken:
>
>  > affected
>
>  >    affected from 0 before 3.14.0
>
> (3.14 still being unreleased).  But patches for this were backported to
> all supported cPython versions, so the effect must be a bit wider than
> that.
>
>
> And in the cve record itself, the patch suggestion comes out mangled.
> _______________________________________________
> PSRT mailing list -- psrt () python org
> To unsubscribe send an email to psrt-leave () python org
> https://mail.python.org/mailman3//lists/psrt.python.org
> Member address: seth.larson () pyfound org