[Bug 207396] Crafted tar archive can be used to remove arbitrary files

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207396

            Bug ID: 207396
           Summary: Crafted tar archive can be used to remove arbitrary
                    files
           Product: Base System
           Version: 10.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: misc
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: fuz at fuz.su

Created attachment 167263
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167263&action=edit
A tar file that removes a file named f1 in badly constructed tar
implementations

The ustar file format allows to store hard links. Hard links are stored as
entries with file type 1 and the linkname field set to the file to link to. In
badly constructed tar implementations, a crafted tar file that attempts to link
a file to itself can be used to remove files as the tar program first checks if
the link-target exists, then unlinks the file name to be linked to and finally
attempts to create a link to a non-existent file, which fails for obvious
reasons. This attack vector has been known since at least 2003 and is part of
the star test suite.

FreeBSD tar apparently doesn't contain code to catch this scenario. Instead, it
happily deletes files using such crafted archives. This is a potential security
problem as tar is not expected to delete files without replacement as it
unpacks an archive.

Attached is the relevant test case from the star test suite.

-- 
You are receiving this mail because:
You are the assignee for the bug.