File tree Expand file tree Collapse file tree 1 file changed +25
-0
lines changed Expand file tree Collapse file tree 1 file changed +25
-0
lines changed Original file line number Diff line number Diff line change 1+ [[advisory ]]
2+ id = " RUSTSEC-2018-0002"
3+ package = " tar"
4+ unaffected_versions = []
5+ patched_versions = [" >= 0.4.16"
6+ dwf = []
7+ url = " https://github.com/alexcrichton/tar-rs/pull/156"
8+ title = " Links in archives can overwrite any existing file"
9+ date = " 2018-06-29"
10+ description = """
11+ When unpacking a tarball with the `unpack_in`-family of functions it's intended
12+ that only files within the specified directory are able to be written. Tarballs
13+ with hard links or symlinks, however, can be used to overwrite any file on the
14+ filesystem.
15+
16+ Tarballs can contain multiple entries for the same file. A tarball which first
17+ contains an entry for a hard link or symlink pointing to any file on the
18+ filesystem will have the link created, and then afterwards if the same file is
19+ listed in the tarball the hard link will be rewritten and any file can be
20+ rewritten on the filesystem.
21+
22+ This has been fixed in https://github.com/alexcrichton/tar-rs/pull/156 and is
23+ published as `tar` 0.4.16. Thanks to Max Justicz for discovering this and
24+ emailing about the issue!
25+ """
You can’t perform that action at this time.
0 commit comments