Use openat2 to jailify the extraction directory

This addresses CVE-2025-45582. * gnulib.modules: Add openat2. * src/misc.c (open_subdir): New static function. (fdbase_opendir): Use it. * src/tar.c (open_searchdir_how): New var, replacing and augmenting open_searchdir_flags. All uses changed. * tests/extrac31.at: New file. * tests/Makefile (TESTSUITE_AT), tests/testuite.at: Add it.
2026-04-26 03:20:40 +00:00 · 2025-11-13 13:44:10 -08:00
parent aec5d77437
commit 75b03fdff4
10 changed files with 107 additions and 29 deletions
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -140,6 +140,7 @@ TESTSUITE_AT = \
 extrac28.at\
 extrac29.at\
 extrac30.at\
+ extrac31.at\
 filerem01.at\
 filerem02.at\
 grow.at\
--- a/tests/extrac31.at
+++ b/tests/extrac31.at
@@ -0,0 +1,55 @@
+# Test suite for GNU tar.                             -*- Autotest -*-
+# Copyright 2025 Free Software Foundation, Inc.
+#
+# This file is part of GNU tar.
+#
+# GNU tar is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GNU tar is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+AT_SETUP([extracting untrusted incremental])
+AT_KEYWORDS([extract extrac31 --absolute-names])
+
+
+AT_TAR_CHECK([
+
+# Extraction should not escape the extraction directory
+# even when extracting multiple times to the same directory.
+(umask 022 && mkdir -p dira/sub dirb/sym dirb/sub/sym ext victimdir victimexp)
+ln -s .. dira/sub/dotdot
+ln -s ../sub dira/sub/dot
+ln -s dotdot/sub dira/sub/anotherdot
+ln -s ../victimdir dira/sym
+ln -s dotdot/../victimdir dira/sub/sym
+echo b1 >dirb/sym/file1
+echo b2 >dirb/sub/sym/file2
+echo v >victimdir/expected
+echo v >victimdir/file1
+echo v >victimdir/file2
+cp victimdir/* victimexp
+tar -cf a.tar -C dira sub sym
+tar -cf b.tar -C dirb sym/file1 sub/sym/file2
+tar -xf a.tar -C ext
+echo status1=$?
+tar -xf b.tar -C ext
+echo status2=$?
+diff victimdir victimexp
+],
+[],
+[status1=0
+status2=2
+],
+[tar: sym/file1: Cannot open: Invalid cross-device link
+tar: sub/sym/file2: Cannot open: Invalid cross-device link
+tar: Exiting with failure status due to previous errors
+])
+AT_CLEANUP
--- a/tests/testsuite.at
+++ b/tests/testsuite.at
@@ -357,6 +357,7 @@ m4_include([extrac27.at])
 m4_include([extrac28.at])
 m4_include([extrac29.at])
 m4_include([extrac30.at])
+m4_include([extrac31.at])

 m4_include([backup01.at])