CPython Tarfile Module Infinite Loop Vulnerability Due to Negative Offsets

A vulnerability exists in the CPython 'tarfile' module, specifically within the 'TarFile' extraction and entry enumeration APIs. The issue arises because the tar implementation processes archives with negative offsets without any error checking. This flaw can lead to an infinite loop and deadlock when parsing maliciously crafted tar archives. The vulnerability affects several versions of CPython, including 3.12.8, 3.13.2, and the latest 3.14 release.

Impact

Exploitation of this vulnerability causes an infinite loop and deadlock, disrupting the normal operation of the application by halting progress and potentially leading to resource exhaustion.

Reproduction

The vulnerability can be reproduced by creating a tar archive that includes negative offset values. When this archive is processed using the 'tarfile' module with 'ignore_zeros' set to True, the negative offsets will be accepted, causing the extraction process to enter an infinite loop. This behavior can be observed by attempting to extract the archive and monitoring for the 'tarfile.StreamError' exception, which indicates that the extraction process has stalled due to the invalid offset.

Remediation

Users can apply a patch that modifies the '_block' method of 'tarfile.TarInfo' to include validation for offset values. This patch should be applied after importing the 'tarfile' module.