Package: cpio This command looks safe, and is a reasonable "backup" command: find /home -type f | cpio -H tar -o > /var/backups/backup.tar
But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the tar file can be made to have arbitrary content, so a restore could overwrite /etc/passwd or anything else under the restore tree, using any permissions. A world writable /dev/sda would also be bad, as would many other fun variants. Like user controlling /home/evil can inject /home/friendly/.bashrc content too. Patch at https://cement.retrofitta.se/tmp/cpio-tar.patch Patch commit message: Check for size overflow in tar header fields. This prevents surprising outputs being created, e.g. this cpio tar output with more than one file: tar cf suffix.tar AUTHORS dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar echo suffix.tar | cpio -H tar -o | tar tvf - -rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS