[Bug 16018] busybox tar allows un-escaped filenames to be printed to stdout/stderr

bugzilla at busybox.net bugzilla at busybox.net
Wed Jun 19 20:45:56 UTC 2024


https://bugs.busybox.net/show_bug.cgi?id=16018

--- Comment #1 from Ian Norton <ian.norton at entrust.com> ---
A similar bug was found as a result of other projects exploring the
contributions from the person behind the xz hacks.

libarchive is one such project that fixed this unescaped output (which was
contributed by the attacker)

the original suspicious commit there was:
https://github.com/libarchive/libarchive/commit/f27c173d17dc807733b3a4f8c11207c3f04ff34f

recently fixed in:

https://github.com/libarchive/libarchive/commit/6110e9c82d8ba830c3440f36b990483ceaaea52c

Where the fix correctly escapes archive member names (just as GNU Tar does)

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list