Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.
Please provide more details. Do newer tar versions behave better?
Do other archives behave better? What is the expected change?
When extracting tarball under root, users need to precisely know
what they are extracting. There are special notes about this
in GNU tar documentation, namely
"10.2.3 Dealing with Live Untrusted Data".
In reply to comment #1:
> Please provide more details. Do newer tar versions behave better?
> Do other archives behave better? What is the expected change?
> When extracting tarball under root, users need to precisely know
> what they are extracting. There are special notes about this
> in GNU tar documentation, namely
> "10.2.3 Dealing with Live Untrusted Data".
This is a very old CVE and I believe it was reported just now.
I don't have more details, the only reference available is the one in comment#0. According to that, unzip had a similar issue and there are some discussions whether it's a security vulnerability or not.
This issue was reviewed by the Red Hat Security Response Team back when it was originally reported in 2005. This issue was determined to not be a security flaw, but rather the expected behaviour of tar, and the following statement was used:
This is the documented and expected behaviour of tar.
The GNU tar behaviour when handling archives with setuid or setgit files is as follows:
- When ordinary, non-root user extracts such archive, the setuid/setgid bits are not preserved, unless one of the following options is used: -p, --preserve-permissions, --same-permissions
- When root user extracts such archive, the setuid/setgid bits are preserved unless the --no-same-permissions option is used.
These defaults are only explicitly documented in the 'tar --help' command output as of version 1.16 thanks to the following commit:
This seems to be the reason why these defaults are properly documented in the tar manual page, which has been included upstream as of version 1.28. The tar packages shipped in Red Hat Enterprise Linux 6 and 7 are based on tar versions prior to 1.28, but they do include the manual page with notes on the defaults for the same-permissions option. The defaults do not seem to be documented in the texinfo documentation though.
The comment 1 above refers to the "10.2.3 Dealing with Live Untrusted Data" section of the GNU tar documentation, however, the info more relevant to this CVE can rather be found in the "10.2.4 Security Rules of Thumb" section:
Notably, it notes:
Extract from an untrusted archive only into an otherwise-empty directory. This directory and its parent should be accessible only to trusted users.
Do not let untrusted users access files extracted from untrusted archives without checking first for problems such as setuid programs.
There are currently no code changes planned in response to this 15+ years old CVE.