Merge pull request #26 from alexcrichton/tar

Aribtrary filesystem writes in tar 0.4.15 and older
2026-01-03 01:56:41 +01:00 · 2018-06-30 10:34:06 +01:00
parent 3c0458d26b 1e553ef856
commit c21aa4af35
1 changed files with 25 additions and 0 deletions
--- a/crates/tar/RUSTSEC-2018-0002.toml
+++ b/crates/tar/RUSTSEC-2018-0002.toml
@@ -0,0 +1,25 @@
+[[advisory]]
+id = "RUSTSEC-2018-0002"
+package = "tar"
+unaffected_versions = []
+patched_versions = [">= 0.4.16"]
+dwf = []
+url = "https://github.com/alexcrichton/tar-rs/pull/156"
+title = "Links in archives can overwrite any existing file"
+date = "2018-06-29"
+description = """
+When unpacking a tarball with the `unpack_in`-family of functions it's intended
+that only files within the specified directory are able to be written. Tarballs
+with hard links or symlinks, however, can be used to overwrite any file on the
+filesystem.
+
+Tarballs can contain multiple entries for the same file. A tarball which first
+contains an entry for a hard link or symlink pointing to any file on the
+filesystem will have the link created, and then afterwards if the same file is
+listed in the tarball the hard link will be rewritten and any file can be
+rewritten on the filesystem.
+
+This has been fixed in https://github.com/alexcrichton/tar-rs/pull/156 and is
+published as `tar` 0.4.16. Thanks to Max Justicz for discovering this and
+emailing about the issue!
+"""