Python's `tarfile` module makes it too easy to extract tarballs in an unsafe way. Unfortunately, for the CVE to be considered fixed, this needs a behavior change. For more details see upstream PEP 706: https://peps.python.org/pep-0706
This bug was referenced in samba master: ebaa00816259cbae5c45ebf0ba5fb260b09e4695 8c90c66a9a409d807dad56822540509c9813425b 431f7698e48387413aac586c7a939a1682464681 1f74f9f366d7f107a89220a4a5951bc4daf18025
Created attachment 17922 [details] patch for 4.18
ready for 4.18.
Pushed to autobuild-v4-18-test.
This bug was referenced in samba v4-18-test: 4a79ee44c311f1a78de9fc9d2b8bc73fb4987719 eff4e88d2cc01d60a8ad03108f0d5691bde0e976 b7cad429a52857ac8a1d1685c732f4c746e7c339 a6edfaa498552dcef704bda0c6fcb7b14c88bdcc
Closing out bug report. Thanks!
This bug was referenced in samba v4-18-stable (Release samba-4.18.4): 4a79ee44c311f1a78de9fc9d2b8bc73fb4987719 eff4e88d2cc01d60a8ad03108f0d5691bde0e976 b7cad429a52857ac8a1d1685c732f4c746e7c339 a6edfaa498552dcef704bda0c6fcb7b14c88bdcc
This bug was referenced in samba master: e401ae44b2f952fc2686065fbfb3a563e3d4066a
Re-opend due to regressions.
Created attachment 17992 [details] backport for 4.18
Re-assigning to Jule to have the regression fix get into the next 4.18 release.
This bug was referenced in samba v4-18-test: 14ce7756e7a5403144126f55be1f7022374c64ea
This bug was referenced in samba v4-19-test: e401ae44b2f952fc2686065fbfb3a563e3d4066a
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1): e401ae44b2f952fc2686065fbfb3a563e3d4066a
This bug was referenced in samba v4-18-stable (Release samba-4.18.6): 14ce7756e7a5403144126f55be1f7022374c64ea