Paul Eggert <egg...@cs.ucla.edu> writes:

> On 2025-08-07 08:47, Lior Kaplan wrote:
>> I was wondering if you had a chance to look at
>> https://nvd.nist.gov/vuln/detail/CVE-2025-45582
>
> First I've heard of it. Thanks for mentioning it.
>
> Sounds like tar by default should refuse to create symlinks to outside
> the working directory. Those symlinks are trouble anyway, regardless
> of whether the following program is tar or some other program.

I agree with the behavior change.

Extracting untrusted tar archives is already dangerous, so I don't think
it is worth any panic though.

In this case libarchive will fail. It looks like strerror (0) is called
though, which seems unintentional (cc'd Tim Kientzle):

   $ bsdtar -xf my_archive2.tar.gz 
   my_directory/.ssh/: Cannot extract through symlink my_directory/.ssh: Success
   my_directory/.ssh/authorized_keys: Cannot extract through symlink 
my_directory/.ssh/authorized_keys: Success

Collin

Reply via email to