Collin Funk <collin.fu...@gmail.com> writes:

> Paul Eggert <egg...@cs.ucla.edu> writes:
>
>> On 2025-08-07 08:47, Lior Kaplan wrote:
>>> I was wondering if you had a chance to look at
>>> https://nvd.nist.gov/vuln/detail/CVE-2025-45582
>>
>> First I've heard of it. Thanks for mentioning it.
>>
>> Sounds like tar by default should refuse to create symlinks to outside
>> the working directory. Those symlinks are trouble anyway, regardless
>> of whether the following program is tar or some other program.
>
> I agree with the behavior change.
>
> Extracting untrusted tar archives is already dangerous, so I don't think
> it is worth any panic though.

+1. Let's do this please.

>
> In this case libarchive will fail.

... since https://github.com/libarchive/libarchive/issues/746.

> It looks like strerror (0) is called
> though, which seems unintentional (cc'd Tim Kientzle):
>
>    $ bsdtar -xf my_archive2.tar.gz 
>    my_directory/.ssh/: Cannot extract through symlink my_directory/.ssh: 
> Success
>    my_directory/.ssh/authorized_keys: Cannot extract through symlink 
> my_directory/.ssh/authorized_keys: Success
>
> Collin

sam

Reply via email to