GNU tar extract pathname bypass

joeyh9y ago· 1 in thread

This reminds me of a over 10 year old security hole I noticed in tar: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=290435

ivank9y ago

Wow. I never thought I'd have to write an AppArmor profile for tar.

rurban9y ago· 1 in thread

How come the GNU tar maintainer was ignoring this for 6 months? Shouldn't someone better take over then? Huge fail.

anon13859y ago

From what I can tell they didn't ignore it they just don't think it is a bug.

cyphar9y ago

I'd say that the issue is only a vulnerability if you're doing tar -C / (which would be dumb). The actual issue appears to be that the filtering features of GNU tar are applied before pathname sanitisation (which is the actual security bug). The title (and some of the wording in the disclosure) lead me to believe that GNU tar would let you extract to paths outside the -C directory (which would be very bad).

So I kinda see the PoV of the maintainer, though I don't agree with the filter ordering.

d339y ago

Interesting. I wonder if this kind of bugs could be found automatically, via fuzzing. It would be nice if someone found a way to add a definition of unexpected behavior to fuzzing with AFL...

trendia9y ago

Linux is supposedly secure because everyone can access the source code and find a serious bug.

The question is whether anyone will fix it.

GNU tar extract pathname bypass (opens in new tab)

GNU tar extract pathname bypass (opens in new tab)

7 comments

7 comments