Hi Ian, thx for the report. yes, i did not notice (and yes i check tars with -vt before installing).
what do you expect now ? Do you have patch ? Do you want to start a discussion about possible solution ? (I use a strict ASCII-only policy in my projects to catch other traps also). What does gnutar do here ? CU ________________________________________ Von: busybox <busybox-boun...@busybox.net> im Auftrag von Ian Norton <ian.nor...@entrust.com> Gesendet: Donnerstag, 13. Juni 2024 19:35:33 An: busybox@busybox.net Betreff: Re busybox tar hidden filename exploit Hello all. A few weeks back I logged https://bugs.busybox.net/show_bug.cgi?id=16018 but it doesn’t seem to have had any attention so I thought I’d reach out here. The bug in question shouldn’t be a serious issue for any kind of well written automated scripting, but anyone using a terminal to view tar content before unpacking could be impacted, allowing an attacker to hide one or more files from the “tar -tf ARCHIVE” or “tar -xvf ARCHIVE” output on a console. You could imagine using this method to hide a “.profile” file in an archive that someone might unpack in their home folder, or worse. While this would probably require a degree of social engineering or inattention to exploit, the same issue has been fixed in GNU tar and other archive tools (I believe libarchive recently fixed this issue). Many thanks Ian Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
