- Reported
-
- Issued
-
- Package
-
tar
(crates.io)
- Type
-
Vulnerability
- Keywords
-
#tar
- Aliases
-
- CVSS Score
- 5.1
MEDIUM
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- None
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- Active
- Availability Impact to the Vulnerable System
- None
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- Low
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
- Patched
-
- Affected Functions
- Version
tar::Entry::unpack-
tar::Entry::unpack_in-
Description
In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar
crate's unpack_dir function uses fs::metadata() to check
whether a path that already exists is a directory. Because fs::metadata()
follows symbolic links, a crafted tarball containing a symlink entry followed
by a directory entry with the same name causes the crate to treat the symlink
target as a valid existing directory — and subsequently apply chmod to it. This
allows an attacker to modify the permissions of arbitrary directories outside
the extraction root.
This issue has been fixed in version 0.4.45.
Advisory available under CC0-1.0
license.