tar-fs Improper Link Resolution and Path Traversal Vulnerability Allowing Unauthorized File Writes

A vulnerability in the tar-fs package, specifically in versions 0.0.0 prior to 1.16.4, 2.0.0 prior to 2.1.2, and 3.0.0 prior to 3.0.8, has been identified. This issue involves improper link resolution before file access, known as 'link following', and inadequate limitation of a pathname to a restricted directory, referred to as 'path traversal'. The vulnerability arises when a maliciously crafted tar file is extracted, leading to unauthorized file writes or overwrites outside the intended extraction directory. The problem is linked to the handling of symlinks, which can be exploited to create and overwrite files on the host filesystem.

Impact

Exploitation of this vulnerability allows for arbitrary file writes or overwrites on the system, potentially leading to remote code execution.

Reproduction

To reproduce this vulnerability, create a tar archive containing a symlink pointing to a target path on the filesystem, along with a file named the same as the link destination. When the archive is extracted using tar-fs, the library will first create the symlink, then overwrite it with the file data, effectively allowing unauthorized writes to the specified location. This can be automated with a script that generates the tar file and simulates the extraction process.

Remediation

Users can update to tar-fs versions 1.16.4, 2.1.2, or 3.0.8 to address this vulnerability.