There is a vulnerability in unarr, which will lead to path traversal vulnerability

[Th1nkkk]

There is a vulnerability in unarr, which will lead to path traversal vulnerability
Go unarr does not check the contents of the archive.

Exploit process

1. An attacker can construct a malicious tar package (or any compressed archive file).
   As shown in the figure below, obviously, this will not succeed under the tar command, because the tar command fixes the vulnerability.
   

2. The victim uses go unarr to unzip the archive
   As shown in the figure below, path traversal occurs during go unarr decompression, and we upload the file to the.. / directory
   

3. By triggering the path traversal vulnerability, an attacker can store any file in any privileged place (which means that rce can be caused under root privileges)

[mastercoms]

Could you provide instructions on producing a exploit sample (or provide such sample)?

[gen2brain]

This should be fixed in 239ec40. The Name() is sanitized, i.e. test/../../../../../../../../../../../tmp/test.txt > tmp/test.txt.