Unpatched since 2007 The vulnerability is in the Python tarfile package, in code that uses un-sanitized tarfile.extract () function or the built-in defaults of tarfile.extractall ().