Paul Eggert <egg...@cs.ucla.edu> writes: > On 8/12/25 19:11, Collin Funk wrote: >> I still like the behavior of the patches you sent earlier. But you are >> right, we cannot make it safe for people to extract every untrusted >> archive. > > Yes, tar cannot be made idiot-proof. > > I found some problems with those patches, in that a verrrry clever > tarball could still escape the extraction directory. Also, there are > two classes of security issues here: unsafe file names and unsafe link > targets. In the long run I think we'll need to do both, but there are > some efficiency concerns. I'll think about it some more.
Yep, the addition of many stat calls isn't ideal. I guess I should have tested the patches with a tarball containing many files to see if it was reasonable... >> I wonder how much of a chore it is to dispute a CVE, especially since >> this exact case is documented. > > I don't know. My impression is that CVE is overwhelmed these days. > > As it happens, a similar CVE against 7-Zip was reported this month. See: > > https://nvd.nist.gov/vuln/detail/CVE-2025-55188 > > The reporter of the 7-Zip vulnerability is protesting its low severity > ranking, and is appealing to the CVE maintainers: > > https://gbhackers.com/7-zip-vulnerability-3/ > > so it is possible to communicate to them. Please feel free to try. Thanks for your permission, I will probably try to contact MITRE. In my experience, people will run security scans such as the following: $ docker scout cves debian:latest i New version 1.18.3 available (installed version is 1.18.2) at https://github.com/docker/scout-cli ✓ SBOM of image already cached, 111 packages indexed ✗ Detected 10 vulnerable packages with a total of 22 vulnerabilities [...] pkg:deb/debian/tar@1.35%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13 ✗ MEDIUM CVE-2025-45582 https://scout.docker.com/v/CVE-2025-45582 Affected range : >=1.35+dfsg-3.1 Fixed version : not fixed And contact mailing lists without searching for previous discussions, such as this thread. Or contact software vendors to check if they are affected. I deal with that case at work a lot (no complaints, since it is part of my job). Since GNU tar is contained in many images, I am certain one of those situations will occur. > I wonder how 7-Zip fixed it? It's difficult to protect against all > idiot uses both efficiently and correctly. Here is the diff from the nist.gov page [1]. [1] https://github.com/ip7z/7zip/compare/25.00...25.01
