archive: Prevent symlink-directory collision chmod attack (#442)
When unpacking a tarball containing a symlink followed by a directory
entry with the same path, unpack_dir previously used fs::metadata()
which follows symlinks. This allowed an attacker to modify permissions
on arbitrary directories outside the extraction path.
The fix uses fs::symlink_metadata() to detect symlinks and refuse to
treat them as valid existing directories.
Document more exhaustively+consistently security caveats.
Reported-by: Sergei Zimmerman <https://github.com/xokdvium>
Assisted-by: OpenCode (Claude claude-opus-4-5)
Signed-off-by: Colin Walters <walters@verbum.org>
Co-authored-by: Colin Walters <walters@verbum.org>
FG: drop test-related changes
Signed-off-by: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Fixes: CVE-2026-33056
Gbp-Pq: Topic vendor
Gbp-Pq: Name tar-CVE-2026-33056.patch
projects / rustc.git / commit