This was reported to us in December, but we determined then that it added little additional danger because attackers who can alter the backup tarfiles can already take over the domain (via reading secrets or making "valid" changes), and they presumably have root on the box.
However that doesn't take into account that an administrator *might* be tricked into running the restore command with an entirely fictitious backup file that overwrites known valuable files. We should guard against that, and against future uses of tarfile in Python.
There is no embargo here.
(patch on it's way).
(In reply to Douglas Bagnall from comment #0)
> This was reported to us in December
by Luis Alberto López Alvar, who appears to have found the bug independently.