CVE-2018-20990

Name of the Vulnerable Software and Affected Versions tar crate versions prior to 0.4.16

Description An issue in the tar crate allows arbitrary file overwrite via a symlink or hardlink in a TAR archive. When unpacking a tarball, tarballs with hard links or symlinks can be used to overwrite any file on the filesystem. This occurs because tarballs can contain multiple entries for the same file, and a tarball with an entry for a hard link or symlink pointing to any file on the filesystem can have the link created, allowing any file to be rewritten on the filesystem.

Recommendations For versions prior to 0.4.16, update to version 0.4.16 to resolve the issue. As a temporary workaround, consider avoiding the use of the unpack in-family of functions when unpacking tarballs from untrusted sources. Restrict access to tarballs with hard links or symlinks to minimize the risk of exploitation.