There is 1 open security issue in trixie.
1 issue left for the package maintainer to handle:
- CVE-2026-29509:
(needs triaging)
Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
You can find information about how to handle this issue in the security team's documentation.