Bug 207396 - Crafted tar archive can be used to remove arbitrary files
Summary: Crafted tar archive can be used to remove arbitrary files
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: 10.2-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-21 17:17 UTC by Robert Clausecker
Modified: 2016-04-04 07:44 UTC (History)
3 users (show)

See Also:


Attachments
A tar file that removes a file named f1 in badly constructed tar implementations (1.50 KB, application/x-tar)
2016-02-21 17:17 UTC, Robert Clausecker
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Clausecker 2016-02-21 17:17:54 UTC
Created attachment 167263 [details]
A tar file that removes a file named f1 in badly constructed tar implementations

The ustar file format allows to store hard links. Hard links are stored as entries with file type 1 and the linkname field set to the file to link to. In badly constructed tar implementations, a crafted tar file that attempts to link a file to itself can be used to remove files as the tar program first checks if the link-target exists, then unlinks the file name to be linked to and finally attempts to create a link to a non-existent file, which fails for obvious reasons. This attack vector has been known since at least 2003 and is part of the star test suite.

FreeBSD tar apparently doesn't contain code to catch this scenario. Instead, it happily deletes files using such crafted archives. This is a potential security problem as tar is not expected to delete files without replacement as it unpacks an archive.

Attached is the relevant test case from the star test suite.
Comment 1 Robert Clausecker 2016-02-21 17:23:18 UTC
This has been reported as issue #661 to the libarchive project.

https://github.com/libarchive/libarchive/issues/661