Hi Paul, Paul Eggert <egg...@cs.ucla.edu> writes:
> On 2025-08-07 08:47, Lior Kaplan wrote: >> https://nvd.nist.gov/vuln/detail/CVE-2025-45582 which suggests way to work >> around the protection mechanism of "Member name contains '..'" with >> creating a symlink to a directory in the first tarball and writing files to >> it (though the symlink) in the second tarball. > > After looking at it a bit more, I remembered that this issue is > documented in the GNU Tar manual as an example of how not to use the > program. (One can misuse GNU Tar, just as one can misuse many > programs.) > > §10.2.2 of the GNU Tar manual says, "When extracting from two or more > untrusted archives, each one should be extracted independently, into > different empty directories. Otherwise, the first archive could create > a symbolic link into an area outside the working directory, and the > second one could follow the link and overwrite data that is not under > the working directory."[1] The vulnerability report's reproduction[2] > misuses GNU Tar in the way described in the manual. GNU Tar is not > supposed to be used in this way on untrusted archives. Good catch, I skimmed through the manual since I recalled it mentioning many ways that extracting untrusted tar archives could be dangerous. But I seemed to have missed this part. Maybe we can better emphasize this part in § 2.8.4: It is also a good practice to examine contents of the archive before extracting it, using ‘--list’ (‘-t’) option, possibly combined with ‘--verbose’ (‘-v’). Certainly seeing .ssh/authorized_keys in a tarball that you did not create would alert you that someone is up to no good. > GNU Tar is operating as documented. That being said, one could argue > that it is too easy to misuse. Although I plan to look into making GNU > Tar more idiot-proof in this area, I cannot promise to make GNU Tar > safe for all possible misuses. > > For more on GNU Tar's security, please see §10.2 "Security"[3]. I still like the behavior of the patches you sent earlier. But you are right, we cannot make it safe for people to extract every untrusted archive. I wonder how much of a chore it is to dispute a CVE, especially since this exact case is documented. Collin