Python tarfile Module AREGTYPE Normalization Vulnerability

A vulnerability exists in the Python tarfile module's handling of certain tar archive types. When processing multi-block members encoded with GNU long name or long link types, the module incorrectly normalizes AREGTYPE blocks to DIRTYPE. This misinterpretation can lead to errors, such as skipping necessary updates to the TarInfo entry type, which may cause subsequent read operations to fail. The issue has been observed in Python versions 3.9 through 3.14 on both macOS and Linux.

Impact

This vulnerability can cause corruption in the TarInfo header by misclassifying entry types, particularly when valid file entries are incorrectly identified as directories. Such corruption can disrupt the normal processing of tar files, leading to exceptions that are silently ignored, causing the tarfile module to mistakenly conclude that there are no more entries to read.

Reproduction

The vulnerability can be reproduced by creating a tar archive that includes entries with GNU long name or long link types, and AREGTYPE blocks. When this archive is processed with the tarfile module, the normalization error will occur, corrupting the entry types and causing the described read failures.

Remediation

Users can update to the latest version of Python, where this vulnerability has been addressed. Instructions for updating Python can be found in the Python documentation.