Versions of fstream
prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter()
function is vulnerable.
Upgrade to version 1.0.12 or later.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-59" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2019-05-30T17:17:33Z" }