Archive::Tar Symlink and Hardlink Extraction Vulnerability in Perl

A vulnerability exists in Archive::Tar versions prior to 3.08 for Perl, where the library extracts symlinks and hardlinks to attacker-controlled targets outside the extraction directory. The issue arises because the '_make_special_file()' function passes the tar header's linkname to the symlink() or link() functions without validating it against absolute paths or directory traversal segments. This flaw allows the creation of symlinks or hardlinks that can be exploited to read from or write to arbitrary locations on the filesystem. While the 'secure-extract' mode prevents regular files from being extracted to sylinked directories, it does not apply the same restrictions to symlink or hardlink targets, leaving a gap that can be exploited.

Impact

Exploitation of this vulnerability allows for the extraction of symlinks and hardlinks to arbitrary locations, potentially leading to unauthorized file access or modification.

Reproduction

The vulnerability can be reproduced by creating a tar archive that includes symlinks or hardlinks with targets outside the intended extraction directory. When this archive is extracted using Archive::Tar version 3.06 or earlier, the library will follow the symlink or hardlink to the specified path, bypassing the extraction directory restrictions.

Remediation

Users can upgrade to Archive::Tar version 3.08 or later, where this vulnerability has been addressed.