tar-rs Chmod Vulnerability in Directory Permissions Management

A vulnerability exists in the tar-rs library, specifically in versions through 0.4.44, related to how the library unpacks tar archives. The issue arises because the unpack_dir function uses fs::metadata() to verify if a path is a directory. This method follows symbolic links, which can be exploited by crafting a tarball with a symlink entry followed by a directory entry of the same name. As a result, the library mistakenly recognizes the symlink target as a valid directory and applies chmod to it. This flaw enables an attacker to alter the permissions of directories outside the extraction root.

Impact

Exploitation of this vulnerability allows for unauthorized modification of directory permissions on the file system, potentially leading to further security issues by allowing access to restricted files or directories.

Reproduction

To reproduce this vulnerability, create a tarball containing a symlink entry named 'foo' that points to an arbitrary external directory. Follow this with a directory entry also named 'foo'. When this tarball is unpacked, the unpack_dir function will follow the symlink, see that the target is a directory, and apply chmod permissions, thereby modifying the external directory's permissions.

Remediation

Users can upgrade to tar-rs version 0.4.45, which addresses this vulnerability by using fs::symlink_metadata() to properly handle symlinks and prevent them from being followed.