This fixes the following vulnerability:
- CVE-2025-8869:
When extracting a tar archive pip may not check symbolic links point
into the extraction directory if the tarfile module doesn't implement
PEP 706. Note that upgrading pip to a "fixed" version for this
vulnerability doesn't fix all known vulnerabilities that are
remediated by using a Python version that implements PEP 706. Note
that this is a vulnerability in pip's fallback implementation of tar
extraction for Python versions that don't implement PEP 706 and
therefore are not secure to all vulnerabilities in the Python
'tarfile' module. If you're using a Python version that implements PEP
706 then pip doesn't use the "vulnerable" fallback code. Mitigations
include upgrading to a version of pip that includes the fix, upgrading
to a Python version that implements PEP 706 (Python >=3.9.17,
>=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
inspecting source distributions (sdists) before installation as is
already a best-practice.
https://www.cve.org/CVERecord?id=CVE-2025-8869
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 78d687d2d2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
dd1e3183df