[3.9] gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)

[gpshead]

(cherry picked from commit 7040aa5)

• Issue: tarfile.StreamError: seeking backwards is not allowed due to unskipped block with bad checksum #130577

[kulikjak]

archiver_tests are not imported and do not exist in 3.9 sources.

[mgorny]

Same as in the 3.10 backport, this seems to have been mistakenly added as a result of merge error.

[frenzymadness]

Is there anything I can do to move this forward? There is another CVE fix already merged into 3.9, and it'd be great to release them both together.

[mgorny]

In case that helps update it:

Suggested change

	class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
	testdir = os.path.join(TEMPDIR, "testoverwrite")
	@classmethod
	def setUpClass(cls):
	p = cls.ar_with_file = os.path.join(TEMPDIR, 'tar-with-file.tar')
	cls.addClassCleanup(os_helper.unlink, p)
	with tarfile.open(p, 'w') as tar:
	t = tarfile.TarInfo('test')
	t.size = 10
	tar.addfile(t, io.BytesIO(b'newcontent'))
	p = cls.ar_with_dir = os.path.join(TEMPDIR, 'tar-with-dir.tar')
	cls.addClassCleanup(os_helper.unlink, p)
	with tarfile.open(p, 'w') as tar:
	tar.addfile(tar.gettarinfo(os.curdir, 'test'))
	p = os.path.join(TEMPDIR, 'tar-with-implicit-dir.tar')
	cls.ar_with_implicit_dir = p
	cls.addClassCleanup(os_helper.unlink, p)
	with tarfile.open(p, 'w') as tar:
	t = tarfile.TarInfo('test/file')
	t.size = 10
	tar.addfile(t, io.BytesIO(b'newcontent'))
	def open(self, path):
	return tarfile.open(path, 'r')
	def extractall(self, ar):
	ar.extractall(self.testdir, filter='fully_trusted')

[vstinner]

Alternative backport without the OverwriteTests class: #137645

[encukou]

The alternative for 3.10 was merged; so #137645 is what should be backported for 3.9.