New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix tar path traversal through symlinks #396
base: v3-deprecated
Are you sure you want to change the base?
Conversation
* fix tar path traversal through symlinks Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * address absolute symlink destinations Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
It seems your patch requires Go 1.15, can you please update the CI workflow to use Go 1.15 (multiple versions not necessary anymore at this point) |
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
not a problem -- I left the test matrix in place in case anyone wants to test multiple versions again but restricted this to v1.15. |
Thanks, that's exactly what I was thinking. I'm not entirely sure why the tests are failing now, but it looks like one of the deps doesn't build on Mac -- that one is likely unrelated to this change. |
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
I've bumped to go 1.21, but have low hopes. The windows test failure seems to be a separate issue:
|
Yeah, probably unrelated. I haven't touched this code in years, so it doesn't surprise me. I'll try to investigate when I get back from an errand. (I imagine there's no need to require a Go version bump on code that is ~5 years old though) |
Ok so one of the tests is failing on Windows because the path described in the unarchival operation doesn't exist in the CI environment. Once that is fixed, we can probably merge this. Also maybe we can downgrade Go again to 1.15 or so, I don't think ~5 year old code needs to be requiring the most recent Go. |
Hello, |
I just came here to see if anything was blocking a new release and it's the failing Windows test. The PR author needs to address that issue first. Looks like something to do with the line:
I'm presuming that needs a |
Hi @wagoodman, just wondering if you still have plans to keep working on this CVE fix. It seems like the Windows test is failing but someone suggested a solution above. |
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Sorry, I thought this was already merged 😳 I just pushed a test update @mholt (the issue was that the test was expressing an absolute path, but only for unix systems, not windows). |
Hey @mholt could you take a look at this PR ? |
Hey @mholt would you mind taking a look at this PR? Thank you! |
This PR addresses behavior of
archiver.Tar.Unarchive()
described in CVE-2024-0406, specifically in two cases:Case 1
When a tar contains two header entries for the same file:
./x
, is a symlink that points relatively outside of the unarchive destination (e.g.../../../here
)./x
, is a regular fileThis will result in the symlink being created in the first pass, then the second entry writing contents to a potentially new file (or overwrite an existing file) outside of the unarchive destination
Case 2
When a tar contains a link that points to an absolute path (e.g.
/bin/here
). In this case it is unlikely that this path is within the unarchive destination.Changes
This PR changes the behavior by: