Hello, I am reporting a security issue in GNU tar 1.35 where tar -t and tar -x produce different results when processing archives containing non-data-bearing typeflags (symlink, chardev, blockdev, FIFO) with a non-zero size field.
Summary: - tar -t respects the size field and skips the data blocks - tar -x ignores the size field and parses the data blocks as headers - Result: files embedded in the data region are invisible to listing but are created on disk during extraction This enables hidden file injection: an attacker can craft a small archive (< 3 KB) where tar -t reports N entries but tar -x creates N+M files. Any security workflow that relies on tar -t for pre-extraction inspection will have an incomplete view of the archive contents. Reproduction (GNU tar 1.35, Ubuntu 24.04): $ tar -tf desync_chardev.tar carrier_entry marker.txt $ mkdir /tmp/test && tar -xf desync_chardev.tar -C /tmp/test $ ls /tmp/test/ carrier_entry injected.txt marker.txt ^^^^^^^^^^^^ not in listing bsdtar 3.7.2 is consistent in both modes (lists and extracts all 3 entries). Affected typeflags: '2' (symlink), '3' (chardev), '4' (blockdev), '6' (FIFO). Typeflag '5' (directory) is not affected. I have attached: 1. Full advisory with root cause analysis and impact assessment 2. Standalone PoC generator (Python 3, no dependencies) 3. Four minimal PoC archives (one per affected typeflag) I am happy to coordinate on a disclosure timeline. Please let me know if you need additional information or testing. Regards, Guillermo de Angel
cve_desync_poc.py
Description: Binary data
GNU_tar_Desync.pdf
Description: Binary data
desync_blockdev.tar
Description: Binary data
desync_chardev.tar
Description: Binary data
desync_fifo.tar
Description: Binary data
desync_symlink.tar
Description: Binary data
