Closed refashioned closed 5 years ago
minitar is vulnerable to the same infinite loop that RubyGems was vulnerable to before version 2.7.6. See:
Download loop.gem from the first link; then minitar list loop.gem will give an endless stream of
minitar list loop.gem
loop loop loop loop loop loop
The problem is that Archive::Tar::Minitar::PosixHeader.from_data parses fields using oct, and oct allows lots of syntax including negative numbers.
oct
Be aware that RubyGems' strict_oct fix made their code incompatible with some kinds of tar headers, so minitar may have to do something more careful. https://github.com/rubygems/rubygems/issues/2213
strict_oct
minitar is vulnerable to the same infinite loop that RubyGems was vulnerable to before version 2.7.6. See:
Download loop.gem from the first link; then
minitar list loop.gem
will give an endless stream ofThe problem is that Archive::Tar::Minitar::PosixHeader.from_data parses fields using
oct
, andoct
allows lots of syntax including negative numbers.Be aware that RubyGems'
strict_oct
fix made their code incompatible with some kinds of tar headers, so minitar may have to do something more careful. https://github.com/rubygems/rubygems/issues/2213