Date: Sun, 21 Feb 2016 17:17:54 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 207396] Crafted tar archive can be used to remove arbitrary files Message-ID: <bug-207396-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207396 Bug ID: 207396 Summary: Crafted tar archive can be used to remove arbitrary files Product: Base System Version: 10.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: freebsd-bugs@FreeBSD.org Reporter: fuz@fuz.su Created attachment 167263 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D167263&action= =3Dedit A tar file that removes a file named f1 in badly constructed tar implementations The ustar file format allows to store hard links. Hard links are stored as entries with file type 1 and the linkname field set to the file to link to.= In badly constructed tar implementations, a crafted tar file that attempts to = link a file to itself can be used to remove files as the tar program first check= s if the link-target exists, then unlinks the file name to be linked to and fina= lly attempts to create a link to a non-existent file, which fails for obvious reasons. This attack vector has been known since at least 2003 and is part = of the star test suite. FreeBSD tar apparently doesn't contain code to catch this scenario. Instead= , it happily deletes files using such crafted archives. This is a potential secu= rity problem as tar is not expected to delete files without replacement as it unpacks an archive. Attached is the relevant test case from the star test suite. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207396-8>