On 8/12/25 19:11, Collin Funk wrote:
I still like the behavior of the patches you sent earlier. But you are
right, we cannot make it safe for people to extract every untrusted
archive.
Yes, tar cannot be made idiot-proof.
I found some problems with those patches, in that a verrrry clever
tarball could still escape the extraction directory. Also, there are two
classes of security issues here: unsafe file names and unsafe link
targets. In the long run I think we'll need to do both, but there are
some efficiency concerns. I'll think about it some more.
I wonder how much of a chore it is to dispute a CVE, especially since
this exact case is documented.
I don't know. My impression is that CVE is overwhelmed these days.
As it happens, a similar CVE against 7-Zip was reported this month. See:
https://nvd.nist.gov/vuln/detail/CVE-2025-55188
The reporter of the 7-Zip vulnerability is protesting its low severity
ranking, and is appealing to the CVE maintainers:
https://gbhackers.com/7-zip-vulnerability-3/
so it is possible to communicate to them. Please feel free to try.
I wonder how 7-Zip fixed it? It's difficult to protect against all idiot
uses both efficiently and correctly.
