oss-sec mailing list archives
libtar: missing validation of file names
From: Naufragium Est <naufragium.est () gmail com>
Date: Thu, 10 Oct 2013 21:28:29 +0200
is this also CVE-worthy? https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html
The functions tar_extract_glob and tar_extract_all accept a path prefix on where to extract files to. However, libtar does not validate the file names stored inside a tar file, possibly leading to a file extraction outside the prefix path. For example, consider a file name "../../etc/passwd". If extract_all is called with prefix "/home/USER/", libtar would try to overwrite "/etc/passwd".
not fixed yet: https://lists.feep.net:8080/pipermail/libtar/2013-October/000362.html
Once I figure out the right way of handling this, there will probably be another libtar release.
Current thread:
- libtar: missing validation of file names Naufragium Est (Oct 10)
- Re: libtar: missing validation of file names Kurt Seifried (Oct 10)