On 2025-08-07 08:47, Lior Kaplan wrote:
https://nvd.nist.gov/vuln/detail/CVE-2025-45582 which suggests way to work
around the protection mechanism of "Member name contains '..'" with
creating a symlink to a directory in the first tarball and writing files to
it (though the symlink) in the second tarball.
After looking at it a bit more, I remembered that this issue is
documented in the GNU Tar manual as an example of how not to use the
program. (One can misuse GNU Tar, just as one can misuse many programs.)
§10.2.2 of the GNU Tar manual says, "When extracting from two or more
untrusted archives, each one should be extracted independently, into
different empty directories. Otherwise, the first archive could create a
symbolic link into an area outside the working directory, and the second
one could follow the link and overwrite data that is not under the
working directory."[1] The vulnerability report's reproduction[2]
misuses GNU Tar in the way described in the manual. GNU Tar is not
supposed to be used in this way on untrusted archives.
GNU Tar is operating as documented. That being said, one could argue
that it is too easy to misuse. Although I plan to look into making GNU
Tar more idiot-proof in this area, I cannot promise to make GNU Tar safe
for all possible misuses.
For more on GNU Tar's security, please see §10.2 "Security"[3].
[1]: https://www.gnu.org/software/tar/manual/html_node/Integrity.html
[2]:
https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md#vulnerability-reproduction
[3]: https://www.gnu.org/software/tar/manual/html_node/Security.html
