oss-sec mailing list archives

libtar: missing validation of file names

From: Naufragium Est <naufragium.est () gmail com>
Date: Thu, 10 Oct 2013 21:28:29 +0200

is this also CVE-worthy?

https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html

The functions tar_extract_glob and tar_extract_all accept a path prefix
on where to extract files to. However, libtar does not validate the file
names stored inside a tar file, possibly leading to a file extraction
outside the prefix path. For example, consider a file name
"../../etc/passwd". If extract_all is called with prefix "/home/USER/",
libtar would try to overwrite "/etc/passwd".



not fixed yet:

https://lists.feep.net:8080/pipermail/libtar/2013-October/000362.html

Once I figure out the right way of handling this, there will probably be
another libtar release.

Current thread:

libtar: missing validation of file names Naufragium Est (Oct 10)
- Re: libtar: missing validation of file names Kurt Seifried (Oct 10)