Bug 2369875 (CVE-2025-48387)

Summary: CVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abarbaro, adkhan, ahrabovs, asoldano, aucunnin, bbaranow, bmaxwell, brian.stansberry, caswilli, cdaley, cdewolf, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, drosa, drow, dsimansk, fjuma, gmalinko, gryan, gzaronik, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jchui, jhe, jhuff, jkoehler, kaycoth, kingland, ktsao, kverlaen, lgao, lphiri, matzew, mnovotny, mosmerov, msochure, mstoklus, msvehla, nboldt, nwallace, pdelbell, periklis, pesilva, pjindal, pmackay, psrna, rojacob, rstancel, rstepani, sausingh, sdawley, smaestri, tom.jenkinson, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in tar-fs. This vulnerability allows files to be written outside the intended extraction directory via specially crafted tar archives. The issue arises from insufficient path validation during tarball extraction, potentially enabling path traversal attacks that can overwrite arbitrary files on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2369949, 2369952, 2369948, 2369950, 2369951, 2369953    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-02 20:01:08 UTC 
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.