-------- Forwarded Message --------
Subject: [Security-announce][CVE-2026-3219] pip doesn't reject concatenated ZIP
and tar archives
Date: Mon, 20 Apr 2026 15:02:13 +0000
From: Seth Larson <[email protected]>
Reply-To: [email protected]
To: [email protected]
There is a MEDIUM severity vulnerability affecting pip.
pip handles concatenated tar and ZIP files as ZIP files regardless of filename
or whether a file is both a tar and ZIP file. This behavior could result in
confusing installation behavior, such as installing "incorrect" files according
to the filename of the archive. New behavior only proceeds with installation if
the file identifies uniquely as a ZIP or tar archive, not as both.
Please see the linked CVE ID for the latest information on affected versions:
* https://www.cve.org/CVERecord?id=CVE-2026-3219
* https://github.com/pypa/pip/pull/13870
_______________________________________________
Security-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/security-announce.python.org
