Hi Paul,

Paul Eggert <egg...@cs.ucla.edu> writes:

> On 2025-08-07 08:47, Lior Kaplan wrote:
>> https://nvd.nist.gov/vuln/detail/CVE-2025-45582 which suggests way to work
>> around the protection mechanism of "Member name contains '..'" with
>> creating a symlink to a directory in the first tarball and writing files to
>> it (though the symlink) in the second tarball.
>
> After looking at it a bit more, I remembered that this issue is
> documented in the GNU Tar manual as an example of how not to use the
> program. (One can misuse GNU Tar, just as one can misuse many
> programs.)
>
> §10.2.2 of the GNU Tar manual says, "When extracting from two or more
> untrusted archives, each one should be extracted independently, into
> different empty directories. Otherwise, the first archive could create
> a symbolic link into an area outside the working directory, and the
> second one could follow the link and overwrite data that is not under
> the working directory."[1] The vulnerability report's reproduction[2]
> misuses GNU Tar in the way described in the manual. GNU Tar is not
> supposed to be used in this way on untrusted archives.

Good catch, I skimmed through the manual since I recalled it mentioning
many ways that extracting untrusted tar archives could be dangerous. But
I seemed to have missed this part.

Maybe we can better emphasize this part in § 2.8.4:

    It is also a good practice to examine contents of the archive before
    extracting it, using ‘--list’ (‘-t’) option, possibly combined with
    ‘--verbose’ (‘-v’).

Certainly seeing .ssh/authorized_keys in a tarball that you did not
create would alert you that someone is up to no good.

> GNU Tar is operating as documented. That being said, one could argue
> that it is too easy to misuse. Although I plan to look into making GNU
> Tar more idiot-proof in this area, I cannot promise to make GNU Tar
> safe for all possible misuses.
>
> For more on GNU Tar's security, please see §10.2 "Security"[3].

I still like the behavior of the patches you sent earlier. But you are
right, we cannot make it safe for people to extract every untrusted
archive.

I wonder how much of a chore it is to dispute a CVE, especially since
this exact case is documented.

Collin

Reply via email to