Collin Funk <collin.fu...@gmail.com> writes: > Paul Eggert <egg...@cs.ucla.edu> writes: > >> On 2025-08-07 08:47, Lior Kaplan wrote: >>> I was wondering if you had a chance to look at >>> https://nvd.nist.gov/vuln/detail/CVE-2025-45582 >> >> First I've heard of it. Thanks for mentioning it. >> >> Sounds like tar by default should refuse to create symlinks to outside >> the working directory. Those symlinks are trouble anyway, regardless >> of whether the following program is tar or some other program. > > I agree with the behavior change. > > Extracting untrusted tar archives is already dangerous, so I don't think > it is worth any panic though.
+1. Let's do this please. > > In this case libarchive will fail. ... since https://github.com/libarchive/libarchive/issues/746. > It looks like strerror (0) is called > though, which seems unintentional (cc'd Tim Kientzle): > > $ bsdtar -xf my_archive2.tar.gz > my_directory/.ssh/: Cannot extract through symlink my_directory/.ssh: > Success > my_directory/.ssh/authorized_keys: Cannot extract through symlink > my_directory/.ssh/authorized_keys: Success > > Collin sam