On 06/08/2025 13:27, Ellie wrote:
But it might not be a bug, here's why:
======================================
However, I can see some people wanting to intentionally extract an
archive with --overwrite that writes into links. Since to avoid that, it
seems like omitting --overwrite is enough:
In overall, I find the option --overwrite at best not documented very
well, since the naming kind of suggests that if --overwrite isn't
specified then -k would be the default, which doesn't seem to be the case.
FWIW, GNU tar's documentation for --overwrite gives some more details,
<https://www.gnu.org/software/tar/manual/html_node/Overwrite-Old-Files.html#Overwrite-Old-Files>.
Particularly relevant is:
"If the name of a corresponding file name is a symbolic link, the file
pointed to by the symbolic link will be overwritten instead of the
symbolic link itself (if this is possible)."
In other words, the option is designed to allow exactly what this
vulnerability report is about. Timing doesn't even come into it, just
create the symbolic link prior to extraction.
The vulnerability report looks questionable anyway. It tries to
highlight that things can change between lstat() and open() but I cannot
see how this could be a valid report when busybox doesn't call lstat()
at all for the files being extracted.
Cheers,
Harald van Dijk
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
