关键信息 漏洞类型: , , 描述: - 在处理tarfile.StreamError时,尝试向后查找是不允许的,因为存在未跳过的块且校验和错误。 - 问题出现在解析tarfile时,某些块的校验和不正确,导致向后查找失败。 测试环境: - Python版本: 3.12.8, 3.13.2 - 操作系统: Linux 相关PRs: - #93077: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) - #137170: tarfile now validates archives and has to ensure member offsets are non-negative (GH-137027) - #137171: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) - #137172: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) - #137173: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) - #137174: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) - #137175: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) - #137176: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) - #137177: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) 状态: Open 标签: release-blocker, type-bug, type-security 里程碑: None 参与者: phigil, azareel, comaromd, bedevere-app, miss-islington, ethanfurman, gphhead, cielo-moliti, hugovk, bronkor