[CVE-2026-3479] Documented `pkgutil.get_data()` restrictions are not enforced #146121

Closed

Assignees

Labels

3.103.113.123.133.143.15release-blockerstdlibtype-security

StanFromIreland

opened

on Mar 18, 2026

Please see PR for more information.

The PSRT has decided to treat this as a security issue since this was a documented restriction.

Linked PRs

gh-146121: pkgutil.get_data() reject invalid resource arguments #146122
[3.14] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146133
[3.13] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146134
[3.12] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146135
[3.11] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146136
[3.10] gh-146121: pkgutil.get_data() reject invalid resource arguments (GH-146122) #146137
gh-146121: Clarify security model of pkgutil.getdata; revert checks #148197
[3.13] gh-146121: Clarify security model of pkgutil.getdata; revert checks (GH-148197) #148205
[3.14] gh-146121: Clarify security model of pkgutil.getdata; revert checks (GH-148197) #148206

Metadata

Assignees

StanFromIreland

Labels

3.103.113.123.133.143.15release-blockerstdlibtype-security

Fields

No fields configured for issues without a type.

Projects

Release and Deferred blockers 🚫

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests