Thanks.
Would it make sense to reuse this flag for this issue as well?
h, --dereference
Follow symlinks; archive and dump the files they point
On Fri, 8 Aug 2025, 10:18 Collin Funk, <collin.fu...@gmail.com> wrote:
> Sam James <s...@gentoo.org> writes:
>
> > Collin Funk <collin.fu...@gmail.com> writes:
> >
> >> Paul Eggert <egg...@cs.ucla.edu> writes:
> >>
> >>> On 2025-08-07 08:47, Lior Kaplan wrote:
> >>>> I was wondering if you had a chance to look at
> >>>> https://nvd.nist.gov/vuln/detail/CVE-2025-45582
> >>>
> >>> First I've heard of it. Thanks for mentioning it.
> >>>
> >>> Sounds like tar by default should refuse to create symlinks to outside
> >>> the working directory. Those symlinks are trouble anyway, regardless
> >>> of whether the following program is tar or some other program.
> >>
> >> I agree with the behavior change.
> >>
> >> Extracting untrusted tar archives is already dangerous, so I don't think
> >> it is worth any panic though.
> >
> > +1. Let's do this please.
>
> I attached a patch which could probably be much improved. But works for
> the original case.
>
> Without '-P' we check for '..', so it seems reasonable to do it for
> symlinks as well. Here is an example with this patch:
>
> $ rm -rf /home/ubuntu/.ssh
> $ ./src/tar -xf my_archive2.tar.gz
> ./src/tar: Member component has link my_directory ->
> ../../../../../../../home/ubuntu/ containing '..'
> ./src/tar: Member component has link my_directory ->
> ../../../../../../../home/ubuntu/ containing '..'
> ./src/tar: Exiting with failure status due to previous errors
> $ stat /home/ubuntu/.ssh
> stat: cannot statx '/home/ubuntu/.ssh': No such file or directory
>
> And using '-P' with this patch:
>
> $ ./src/tar -P -xf my_archive2.tar.gz
> $ stat --format=%n /home/ubuntu/.ssh/authorized_keys
> /home/ubuntu/.ssh/authorized_keys
>
> I don't mind putting it behind a new option instead of '-P', but am not
> creative enough to think of a long option name at the moment. :)
>
> Collin
>
>
