Paul Eggert <egg...@cs.ucla.edu> writes: > On 2025-08-07 08:47, Lior Kaplan wrote: >> I was wondering if you had a chance to look at >> https://nvd.nist.gov/vuln/detail/CVE-2025-45582 > > First I've heard of it. Thanks for mentioning it. > > Sounds like tar by default should refuse to create symlinks to outside > the working directory. Those symlinks are trouble anyway, regardless > of whether the following program is tar or some other program.
I agree with the behavior change. Extracting untrusted tar archives is already dangerous, so I don't think it is worth any panic though. In this case libarchive will fail. It looks like strerror (0) is called though, which seems unintentional (cc'd Tim Kientzle): $ bsdtar -xf my_archive2.tar.gz my_directory/.ssh/: Cannot extract through symlink my_directory/.ssh: Success my_directory/.ssh/authorized_keys: Cannot extract through symlink my_directory/.ssh/authorized_keys: Success Collin