Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <874ilh5ohs.fsf@gmail.com>
Date: Sat, 11 Apr 2026 11:41:03 -0700
From: Collin Funk <collin.funk1@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: GNU tar: listing/extraction desynchronization
 allows hidden file injection

Alan Coopersmith <alan.coopersmith@...cle.com> writes:

> Red Hat appears to have assigned CVE-2026-5704 to this issue.
>
> Paul Eggert provided a patch in
> https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00011.html
> which is also available in
> https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b8d8a61b25588caca4efaf9bdd2e3f1a49da77e3
>
> https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00012.html points out
> that a similar report was also included in
> https://lists.gnu.org/archive/html/bug-tar/2026-02/msg00022.html
> along with a number of other bug reports.

Not directly related to the issues in GNU tar, but one of the reports
you shared [1]. See the following text:

> I am happy to coordinate on a disclosure timeline. Please let me know
> if you need additional information or testing.

This is one of many examples I have seen lately of people writing as if
they were sending private messages on a public list. I assume it is a
common LLM hallucination?

I find it mildly annoying, especially since it is often paired with
total slop. I guess in this case it isn't a bug deal since it is
associated with an actual issue.

For a worse example, see a recent bug report in GNU coreutils claiming
that the 'printf' command allowed for remote code execution because it
allows the user the control the format string [2]. Which is made worse
by it just making up code that doesn't exist.

Collin

[1] https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00007.html
[2] https://bugs.gnu.org/80802

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.