Hello, On Sun, Mar 22, 2026 at 12:30:45PM -0700, Paul Eggert wrote: > Thanks for reporting the bug. I installed the attached patch. Please give it > a try. > > > I am happy to coordinate on a disclosure timeline. > > Thanks for that too, but it's already disclosed here: > > https://lists.gnu.org/r/bug-tar/2026-03/msg00007.html
Moreover, a bug with exactly the same impact (desynchronization allowing to hide a file from tar -t) was already disclosed a month ago: https://lists.gnu.org/archive/html/bug-tar/2026-02/msg00022.html The reproducer for the last one is probably easier, but the impact of the former is IMO identical. By the way, the former bug is still unfixed. Regards, Pavel > Please feel free to report the bug elsewhere. There should not be much > trouble for people who follow the advice in the tar manual, which says "When > extracting from an untrusted archive, it is therefore good practice to > create an empty directory and run tar in that directory."[1] Of course not > everybody follows advice in software manuals. > > [1]: https://www.gnu.org/software/tar/manual/html_node/Integrity.html
