[automated] Merge branch 'release/9.0' => 'release/9.0-staging' by github-actions[bot] · Pull Request #128153 · dotnet/runtime (original) (raw)
and others added 18 commits
…edAttributes size in TarHeader
Adds check for the "size" attribute in the ExdendedAttributes section of a tar file to prevent infinite loop with negative size. Follows the same throw logic for TarHeader's size.
The negative sized tar file cannot be reproduced using .NET, hence the lack of tests.
AI description (iteration 1)
PR Classification
Bug fix to add validation for negative size values in TAR extended attributes.
PR Summary
Adds a safety check to prevent negative size values when reading TAR extended attributes from the PaxEaSize field, throwing an InvalidDataException if a negative size is encountered.
TarHeader.Read.cs: Added validation to check if the extended attributes size is negative before assignment, throwingInvalidDataExceptionwithTarSizeFieldNegativeerror message if true.
Fix Windows tar vulnerability that allows creating a symlink to a file (and only a file, not a directory) to anywhere on the same drive where the tar is extracted.
AI description (iteration 1)
PR Classification
Bug fix to address incorrect symlink validation on Windows when extracting tar files with rooted paths.
PR Summary
Fixes symlink path validation in tar extraction on Windows by replacing Path.IsPathFullyQualified with Path.IsPathRooted and adding Path.GetFullPath calls to properly detect and reject symlinks pointing outside the destination directory.
TarEntry.cs: Changed symlink validation logic fromPath.IsPathFullyQualifiedtoPath.IsPathRootedwithPath.GetFullPathfor both entry names and link targets to correctly identify rooted paths on WindowsTarFile.ExtractToDirectory.File.Tests.Windows.cs: Added test caseExtractToDirectory_RejectsSymlinkWithRootedTargetOutsideDestinationto verify symlinks with rooted targets outside the destination are properly rejected
…hannelVersion 2.4.18
Updated Versions.props - MicrosoftNativeQuicMsQuicSchannelVersion 2.4.18
AI description (iteration 1)
PR Classification
Dependency version update to upgrade the MsQuic Schannel package from version 2.4.17 to 2.4.18.
PR Summary
This pull request updates the MsQuic Schannel dependency to a newer patch version.
/eng/Versions.props: UpdatedMicrosoftNativeQuicMsQuicSchannelVersionfrom 2.4.17 to 2.4.18
…-merge-9.0-2026-05-12-1247
This pull request updates the following dependencies
From https://github.com/dotnet/emsdk
- Subscription: f85f62c8-5e7d-4706-1003-08dcbc30275f
- Build: 20260508.3 (313592)
- Date Produced: May 8, 2026 12:57:27 PM UTC
- Commit: b634e009d59f72e9254f984a6b89e685955e0eb8
- Branch: release/9.0
- Dependency Updates:
- From 9.0.16-servicing.26221.3 to 9.0.17-servicing.26258.3
- Microsoft.SourceBuild.Intermediate.emsdk
- From 9.0.16-servicing.26221.3 to 9.0.17-servicing.26258.3
- Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport
- From 9.0.16 to 9.0.17
- Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100
- From 9.0.16 to 9.0.17
Coherency Updates
The following updates ensure that dependencies with a CoherentParentDependency attribute were produced in a build used as input to the parent dependency's build. See Dependency Description Format
- Coherency Updates:
- runtime.linux-arm64.Microsoft.NETCore.Runtime.JIT.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-x64.Microsoft.NETCore.Runtime.JIT.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-musl-arm64.Microsoft.NETCore.Runtime.JIT.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-musl-x64.Microsoft.NETCore.Runtime.JIT.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.win-arm64.Microsoft.NETCore.Runtime.JIT.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.win-x64.Microsoft.NETCore.Runtime.JIT.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.osx-arm64.Microsoft.NETCore.Runtime.JIT.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.osx-x64.Microsoft.NETCore.Runtime.JIT.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-musl-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-musl-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-musl-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.linux-musl-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.win-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.win-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.osx-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.osx-arm64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.osx-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Sdk: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
- runtime.osx-x64.Microsoft.NETCore.Runtime.Mono.LLVM.Tools: from 19.1.0-alpha.1.26202.3 to 19.1.0-alpha.1.26256.3 (parent: Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport)
Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: Larry Ewing lewing@microsoft.com
This was referenced
May 14, 2026
This was referenced
Jun 9, 2026
This was referenced
Jun 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})