
GNU tar extract pathname bypass - wrl
http://seclists.org/fulldisclosure/2016/Oct/96
======
joeyh
This reminds me of a over 10 year old security hole I noticed in tar:
[https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=290435](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=290435)

~~~
ivank
Wow. I never thought I'd have to write an AppArmor profile for tar.

------
rurban
How come the GNU tar maintainer was ignoring this for 6 months? Shouldn't
someone better take over then? Huge fail.

~~~
anon1385
From what I can tell they didn't ignore it they just don't think it is a bug.

------
cyphar
I'd say that the issue is only a vulnerability if you're doing tar -C / (which
would be dumb). The actual issue appears to be that the filtering features of
GNU tar are applied _before_ pathname sanitisation (which is the actual
security bug). The title (and some of the wording in the disclosure) lead me
to believe that GNU tar would let you extract to paths _outside_ the -C
directory (which would be very bad).

So I kinda see the PoV of the maintainer, though I don't agree with the filter
ordering.

------
d33
Interesting. I wonder if this kind of bugs could be found automatically, via
fuzzing. It would be nice if someone found a way to add a definition of
unexpected behavior to fuzzing with AFL...

------
trendia
Linux is supposedly secure because everyone can access the source code and
find a serious bug.

The question is whether anyone will _fix_ it.

