{"id":"RUSTSEC-2018-0002","summary":"Links in archives can overwrite any existing file","details":"When unpacking a tarball with the `unpack_in`-family of functions it's intended\nthat only files within the specified directory are able to be written. Tarballs\nwith hard links or symlinks, however, can be used to overwrite any file on the\nfilesystem.\n\nTarballs can contain multiple entries for the same file. A tarball which first\ncontains an entry for a hard link or symlink pointing to any file on the\nfilesystem will have the link created, and then afterwards if the same file is\nlisted in the tarball the hard link will be rewritten and any file can be\nrewritten on the filesystem.\n\nThis has been fixed in https://github.com/alexcrichton/tar-rs/pull/156 and is\npublished as `tar` 0.4.16. Thanks to Max Justicz for discovering this and\nemailing about the issue!","aliases":["CVE-2018-20990","GHSA-2367-c296-3mp2"],"modified":"2023-11-08T04:00:13.305474Z","published":"2018-06-29T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tar"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2018-0002.html"},{"type":"WEB","url":"https://github.com/alexcrichton/tar-rs/pull/156"}],"affected":[{"package":{"name":"tar","ecosystem":"crates.io","purl":"pkg:cargo/tar"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.4.16"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2018-0002.json","categories":[],"cvss":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}