2369875 – (CVE-2025-48387) CVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball

Bug 2369875 (CVE-2025-48387) - CVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball

Summary: CVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the s...

Keywords:
Status:	NEW
Alias:	CVE-2025-48387
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2369948 2369949 2369950 2369951 2369952 2369953
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-02 20:01 UTC by OSIDB Bzimport
Modified:	2025-06-03 14:59 UTC (History)
CC List:	61 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-02 20:01:08 UTC

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
adkhan
ahrabovs
asoldano
aucunnin
bbaranow
bmaxwell
brian.stansberry
caswilli
cdaley
cdewolf
darran.lofthouse
dfreiber
dhanak
dkreling
dosoudil
drosa
drow
dsimansk
fjuma
gmalinko
gryan
gzaronik
istudens
ivassile
iweiss
janstey
jburrell
jcantril
jchui
jhe
jhuff
jkoehler
kaycoth
kingland
ktsao
kverlaen
lgao
lphiri
matzew
mnovotny
mosmerov
msochure
mstoklus
msvehla
nboldt
nwallace
pdelbell
periklis
pesilva
pjindal
pmackay
psrna
rojacob
rstancel
rstepani
sausingh
sdawley
smaestri
tom.jenkinson
vkumar