Date: Sun, 21 Feb 2016 17:17:54 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 207396] Crafted tar archive can be used to remove arbitrary files Message-ID: <bug-207396-8@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207396 Bug ID: 207396 Summary: Crafted tar archive can be used to remove arbitrary files Product: Base System Version: 10.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: freebsd-bugs@FreeBSD.org Reporter: fuz@fuz.su Created attachment 167263 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167263&action=edit A tar file that removes a file named f1 in badly constructed tar implementations The ustar file format allows to store hard links. Hard links are stored as entries with file type 1 and the linkname field set to the file to link to. In badly constructed tar implementations, a crafted tar file that attempts to link a file to itself can be used to remove files as the tar program first checks if the link-target exists, then unlinks the file name to be linked to and finally attempts to create a link to a non-existent file, which fails for obvious reasons. This attack vector has been known since at least 2003 and is part of the star test suite. FreeBSD tar apparently doesn't contain code to catch this scenario. Instead, it happily deletes files using such crafted archives. This is a potential security problem as tar is not expected to delete files without replacement as it unpacks an archive. Attached is the relevant test case from the star test suite. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207396-8>