From 9f50c6cfe16e8f4a39b72cfd33238e584d2cffd4 Mon Sep 17 00:00:00 2001
From: "Douglas R. Reno" <renodr@linuxfromscratch.org>
Date: Wed, 6 Aug 2025 00:07:56 -0500
Subject: [PATCH] Python: Fix CVE-2025-8194

---
 chapter01/changelog.xml | 10 ++++++++++
 chapter08/python.xml    | 14 ++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/chapter01/changelog.xml b/chapter01/changelog.xml
index 09a3ee6e0..0e6915697 100644
--- a/chapter01/changelog.xml
+++ b/chapter01/changelog.xml
@@ -40,6 +40,16 @@
     appropriate for the entry or if needed the entire day's listitem.
     -->
 
+    <listitem>
+      <para>2025-08-05</para>
+      <itemizedlist>
+        <listitem>
+          <para>[renodr] - Fixed CVE-2025-8194 in Python. Fixes
+          <ulink url="&lfs-ticket-root;5774">#5774</ulink>.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
     <listitem>
       <para>2025-08-01</para>
       <itemizedlist>
diff --git a/chapter08/python.xml b/chapter08/python.xml
index 534b81acd..2bedb71c6 100644
--- a/chapter08/python.xml
+++ b/chapter08/python.xml
@@ -42,11 +42,17 @@
 
   <sect2 role="installation">
     <title>Installation of Python 3</title>
-<!--
-    <para>First, apply a security patch to the current package:</para>
 
-    <screen><userinput remap="pre">patch -Np1 -i ../&python-security-fixes-patch;</userinput></screen>
--->    
+    <!-- CVE-2025-8194, see BLFS ticket #21895. The sed adds three lines. Thank
+    you Bruce for the sed! Please do not modify the spacing. -renodr -->
+    <para>First, fix a security vulnerability in the tarfile module:</para>
+
+<screen><userinput remap="pre">sed -e '/Round/{n;n;a\
+        # Only non-negative offsets are allowed\
+        if count &lt; 0:\
+            raise InvalidHeaderError("invalid offset")
+}' -i Lib/tarfile.py</userinput></screen>
+
     <para>Prepare Python for compilation:</para>
 
 <screen><userinput remap="configure">./configure --prefix=/usr          \