[Bug 2116293] Re: Python virtual environments broken by 3.13.3-1ubuntu0.2

Tue Oct 21 13:54:56 UTC 2025

This is a regression, but I don't think it was avoidable.

Also, FWIW a modern Python virtualenv should not embed a copy of the
stdlib, so you should be getting the new version of posixpath.

Was this maybe a program that was running while the update was applied,
and tried to import tarfile after the update?

** Also affects: python3.13 (Ubuntu Plucky)
   Importance: Undecided
       Status: New

** Tags added: regression-update

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.13 in Ubuntu.
https://bugs.launchpad.net/bugs/2116293

Title:
  Python virtual environments broken by 3.13.3-1ubuntu0.2

Status in python3.13 package in Ubuntu:
  New
Status in python3.13 source package in Plucky:
  New

Bug description:
  ### Summary

  Security update to 3.13.3-1ubuntu0.2 breaks existing Python virtual environments with 
  AttributeError: module 'posixpath' has no attribute 'ALLOW_MISSING'

  The patch responsible is
  https://git.launchpad.net/ubuntu/+source/python3.13/commit/?id=2c1a1a44fdc4afc66a76fa31913b8bc291d090f2

  ### Version info
   * Package: python3.13
   * Version: 3.13.3-1ubuntu0.2
   * Ubuntu Version: 25.04 Plucky
   * Architecture: amd64

  ### Description

  The security update to python3 introduced a new constant os.path.ALLOW_MISSING that is used by the standard library module tarfile.py. However, existing Python virtual environments created before this update still use the old Python executable that doesn't know about this constant, while the system's standard library (which venvs share) expects it to exist.
  This breaks any Python virtual environment that uses tarfile functionality, including tools like Poetry when installing packages.

  ### Steps to Reproduce

   * Create a Python virtual environment with python3.13 before the security update
   * Update the system python3.13 package to 3.13.3-1ubuntu0.2
   * Try to use tarfile with data filter in the existing virtual environment:

  `~/.local/share/pypoetry/venv/bin/python`

  ```python
  import tarfile
  import tempfile
  import os

  # Create a temporary directory and file
  tmpdir = tempfile.TemporaryDirectory()

  test_file = os.path.join(tmpdir.name, "test.txt")
  with open(test_file, "w") as f:
      f.write("Hello, world!")

  # Create a tar archive
  tar_path = os.path.join(tmpdir.name, "test.tar")
  with tarfile.open(tar_path, "w") as tar:
      tar.add(test_file, arcname="test.txt")

  # Try to extract with data filter (this should trigger the bug)
  extract_dir = os.path.join(tmpdir.name, "extracted")
  os.makedirs(extract_dir)

  with tarfile.open(tar_path, "r") as tar:
      tar.extractall(extract_dir, filter="data") # AttributeError: module 'posixpath' has no attribute 'ALLOW_MISSING'
      print("No error occurred")
  ```

  ### Error Message

  `AttributeError: module 'posixpath' has no attribute 'ALLOW_MISSING'`

  ### Traceback
  File "/usr/lib/python3.13/tarfile.py", line 773, in _get_filtered_attrs
      dest_path = os.path.realpath(dest_path, strict=os.path.ALLOW_MISSING)
  AttributeError: module 'posixpath' has no attribute 'ALLOW_MISSING'

  ### Expected Behavior
   * Security updates should not break existing virtual environments
   * The 3.13.3 python3 interpreter should keep the compatibility with 3.13.3 stdlib
   * Tools such as Poetry or venv do most likely depend on the sys.version_info that was kept the same

  ### References
   * Reported as https://github.com/python-poetry/poetry/issues/10460

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.13/+bug/2116293/+subscriptions