From cc54e987a1ac7b5b939a5e599cc15a84299261a0 Mon Sep 17 00:00:00 2001
From: cunshunxia <cunshunxia@tencent.com>
Date: Wed, 30 Jul 2025 11:27:57 +0800
Subject: [PATCH] fix CVE-2025-8194

---
 CVE-2025-8194.patch | 193 ++++++++++++++++++++++++++++++++++++++++++++
 python3.11.spec     |   9 ++-
 2 files changed, 201 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-8194.patch

diff --git a/CVE-2025-8194.patch b/CVE-2025-8194.patch
new file mode 100644
index 0000000..3a134b2
--- /dev/null
+++ b/CVE-2025-8194.patch
@@ -0,0 +1,193 @@
+diff -urpN Python-3.11.6.orig/Lib/tarfile.py Python-3.11.6/Lib/tarfile.py
+--- Python-3.11.6.orig/Lib/tarfile.py	2025-07-30 12:00:50.033934538 +0800
++++ Python-3.11.6/Lib/tarfile.py	2025-07-30 12:01:05.026023378 +0800
+@@ -1567,6 +1567,9 @@ class TarInfo(object):
+         """Round up a byte count by BLOCKSIZE and return it,
+            e.g. _block(834) => 1024.
+         """
++        # Only non-negative offsets are allowed
++        if count < 0:
++            raise InvalidHeaderError("invalid offset")
+         blocks, remainder = divmod(count, BLOCKSIZE)
+         if remainder:
+             blocks += 1
+diff -urpN Python-3.11.6.orig/Lib/test/test_tarfile.py Python-3.11.6/Lib/test/test_tarfile.py
+--- Python-3.11.6.orig/Lib/test/test_tarfile.py	2025-07-30 12:00:50.102934947 +0800
++++ Python-3.11.6/Lib/test/test_tarfile.py	2025-07-30 12:01:05.026023378 +0800
+@@ -49,6 +49,7 @@ bz2name = os.path.join(TEMPDIR, "testtar
+ xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
+ tmpname = os.path.join(TEMPDIR, "tmp.tar")
+ dotlessname = os.path.join(TEMPDIR, "testtar")
++SPACE = b" "
+ 
+ sha256_regtype = (
+     "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
+@@ -4013,6 +4014,161 @@ class TestExtractionFilters(unittest.Tes
+             self.expect_exception(TypeError)  # errorlevel is not int
+ 
+ 
++class OffsetValidationTests(unittest.TestCase):
++    tarname = tmpname
++    invalid_posix_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, space, null terminator: 8 bytes
++        + b"000755" + SPACE + tarfile.NUL
++        # uid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0011407" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # magic: 6 bytes, version: 2 bytes
++        + tarfile.POSIX_MAGIC
++        # uname: 32 bytes
++        + tarfile.NUL * 32
++        # gname: 32 bytes
++        + tarfile.NUL * 32
++        # devmajor, space, null terminator: 8 bytes
++        + tarfile.NUL * 6 + SPACE + tarfile.NUL
++        # devminor, space, null terminator: 8 bytes
++        + tarfile.NUL * 6 + SPACE + tarfile.NUL
++        # prefix: 155 bytes
++        + tarfile.NUL * tarfile.LENGTH_PREFIX
++        # padding: 12 bytes
++        + tarfile.NUL * 12
++    )
++    invalid_gnu_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, null terminator: 8 bytes
++        + b"0000755" + tarfile.NUL
++        # uid, null terminator: 8 bytes
++        + b"0000001" + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"0000001" + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0011327" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # magic: 8 bytes
++        + tarfile.GNU_MAGIC
++        # uname: 32 bytes
++        + tarfile.NUL * 32
++        # gname: 32 bytes
++        + tarfile.NUL * 32
++        # devmajor, null terminator: 8 bytes
++        + tarfile.NUL * 8
++        # devminor, null terminator: 8 bytes
++        + tarfile.NUL * 8
++        # padding: 167 bytes
++        + tarfile.NUL * 167
++    )
++    invalid_v7_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, space, null terminator: 8 bytes
++        + b"000755" + SPACE + tarfile.NUL
++        # uid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0010070" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # padding: 255 bytes
++        + tarfile.NUL * 255
++    )
++    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
++    data_block = b"\xff" * tarfile.BLOCKSIZE
++
++    def _write_buffer(self, buffer):
++        with open(self.tarname, "wb") as f:
++            f.write(buffer)
++
++    def _get_members(self, ignore_zeros=None):
++        with open(self.tarname, "rb") as f:
++            with tarfile.open(
++                mode="r", fileobj=f, ignore_zeros=ignore_zeros
++            ) as tar:
++                return tar.getmembers()
++
++    def _assert_raises_read_error_exception(self):
++        with self.assertRaisesRegex(
++            tarfile.ReadError, "file could not be opened successfully"
++        ):
++            self._get_members()
++
++    def test_invalid_offset_header_validations(self):
++        for tar_format, invalid_header in (
++            ("posix", self.invalid_posix_header),
++            ("gnu", self.invalid_gnu_header),
++            ("v7", self.invalid_v7_header),
++        ):
++            with self.subTest(format=tar_format):
++                self._write_buffer(invalid_header)
++                self._assert_raises_read_error_exception()
++
++    def test_early_stop_at_invalid_offset_header(self):
++        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
++        self._write_buffer(buffer)
++        members = self._get_members()
++        self.assertEqual(len(members), 1)
++        self.assertEqual(members[0].name, "filename")
++        self.assertEqual(members[0].offset, 0)
++
++    def test_ignore_invalid_archive(self):
++        # 3 invalid headers with their respective data
++        buffer = (self.invalid_gnu_header + self.data_block) * 3
++        self._write_buffer(buffer)
++        members = self._get_members(ignore_zeros=True)
++        self.assertEqual(len(members), 0)
++
++    def test_ignore_invalid_offset_headers(self):
++        for first_block, second_block, expected_offset in (
++            (
++                (self.valid_gnu_header),
++                (self.invalid_gnu_header + self.data_block),
++                0,
++            ),
++            (
++                (self.invalid_gnu_header + self.data_block),
++                (self.valid_gnu_header),
++                1024,
++            ),
++        ):
++            self._write_buffer(first_block + second_block)
++            members = self._get_members(ignore_zeros=True)
++            self.assertEqual(len(members), 1)
++            self.assertEqual(members[0].name, "filename")
++            self.assertEqual(members[0].offset, expected_offset)
++
++
+ def setUpModule():
+     os_helper.unlink(TEMPDIR)
+     os.makedirs(TEMPDIR)
+diff -urpN Python-3.11.6.orig/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst Python-3.11.6/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+--- Python-3.11.6.orig/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst	1970-01-01 08:00:00.000000000 +0800
++++ Python-3.11.6/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst	2025-07-30 12:01:05.026023378 +0800
+@@ -0,0 +1,3 @@
++:mod:`tarfile` now validates archives to ensure member offsets are
++non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
++:gh:`130577`.)
diff --git a/python3.11.spec b/python3.11.spec
index ed65642..aedd3f5 100644
--- a/python3.11.spec
+++ b/python3.11.spec
@@ -64,7 +64,7 @@
 Summary: Version %{pybasever} of the Python interpreter
 Name: python%{pybasever}
 Version: %{src_version}
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: Python-2.0.1
 URL: https://www.python.org/
 
@@ -93,6 +93,8 @@ Patch0016: CVE-2025-4435.patch
 # https://github.com/python/cpython/pull/135464
 Patch0017: CVE-2025-6069.patch
 Patch0018: CVE-2025-4516-3.11-gh-133767-Fix-use-after-free-in-the-unicode-esc.patch
+# https://github.com/python/cpython/pull/137172
+Patch0019: CVE-2025-8194.patch
 
 Patch3000: 00001-rpath.patch
 Patch3001: 00251-change-user-install-location.patch
@@ -1120,6 +1122,11 @@ LD_LIBRARY_PATH=$(pwd)/normal $(pwd)/normal/python -m test.regrtest \
 %endif
 
 %changelog
+* Wed Jul 30 2025 cunshunxia <cunshunxia@tencent.com> - 3.11.6-20
+- fix CVE-2025-8194.
+- gh-130577: tarfile now validates archives to ensure member
+- offsets are non-negative (GH-137027)
+
 * Wed Jul 9 2025 Shuo Wang <abushwang@tencent.com> - 3.11.6-19
 - fix CVE-2025-4516
 - gh-133767: Fix use-after-free in the unicode-escape decoder
-- 
Gitee