mirrors/tar
1
0
Fork 0
mirror of https://git.savannah.gnu.org/git/tar.git synced 2026-04-26 11:30:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use openat2 to jailify the extraction directory

Browse Source 
This addresses CVE-2025-45582.
* gnulib.modules: Add openat2.
* src/misc.c (open_subdir): New static function.
(fdbase_opendir): Use it.
* src/tar.c (open_searchdir_how): New var, replacing and
augmenting open_searchdir_flags.  All uses changed.
* tests/extrac31.at: New file.
* tests/Makefile (TESTSUITE_AT), tests/testuite.at: Add it.
This commit is contained in:
Paul Eggert
2025-11-13 13:44:10 -08:00
parent aec5d77437
commit 75b03fdff4
10 changed files with 107 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/common.h
View File

@@ -376,7 +376,7 @@ struct name
/* Flags for reading, searching, and fstatatting files. */
extern int open_read_flags;
extern int open_searchdir_flags;
extern struct open_how open_searchdir_how;
extern int fstatat_flags;
extern int seek_option;