Bug 207396

Summary: Crafted tar archive can be used to remove arbitrary files
Product: Base System Reporter: Robert Clausecker <fuz>
Component: miscAssignee: freebsd-bugs mailing list <bugs>
Status: New ---    
Severity: Affects Some People CC: emaste, kientzle, vsasjason
Priority: ---    
Version: 10.2-RELEASE   
Hardware: Any   
OS: Any   
Description Flags
A tar file that removes a file named f1 in badly constructed tar implementations none

Description Robert Clausecker 2016-02-21 17:17:54 UTC
Created attachment 167263 [details]
A tar file that removes a file named f1 in badly constructed tar implementations

The ustar file format allows to store hard links. Hard links are stored as entries with file type 1 and the linkname field set to the file to link to. In badly constructed tar implementations, a crafted tar file that attempts to link a file to itself can be used to remove files as the tar program first checks if the link-target exists, then unlinks the file name to be linked to and finally attempts to create a link to a non-existent file, which fails for obvious reasons. This attack vector has been known since at least 2003 and is part of the star test suite.

FreeBSD tar apparently doesn't contain code to catch this scenario. Instead, it happily deletes files using such crafted archives. This is a potential security problem as tar is not expected to delete files without replacement as it unpacks an archive.

Attached is the relevant test case from the star test suite.
Comment 1 Robert Clausecker 2016-02-21 17:23:18 UTC
This has been reported as issue #661 to the libarchive project.