From: Jeremie Courreges-Anglas <jca@wxcvbn.org>
Subject: Re: PAX bug allows unprivileged user to disrupt backups
To: "Todd C. Miller" <millert@openbsd.org>
Cc: Crystal Kolipe <kolipe.c@exoticsilicon.com>, tech@openbsd.org
Date: Sun, 29 Jun 2025 21:02:27 +0200

On Sat, Jun 28, 2025 at 09:02:16AM -0600, Todd C. Miller wrote:
> On Sun, 22 Jun 2025 04:38:25 -0300, Crystal Kolipe wrote:
> 
> > It's possible for a non-root user with no special permissions to disrupt
> > backups made by root using tar and pax.  Note that cpio is not affected.
> >
> > This is done by abusing file modification timestamps and fooling tar into
> > quitting early.
> 
> The underlying issue is that pax was silently failing when writing
> out the extended headers if the mtime didn't fit in the ustar header
> for the extended header record.  This should not be a fatal error
> since the extended header is not a real file and will only be
> extracted by versions of tar that doesn't support pax format.

Indeed, that wasn't very good error checking. :-/
I'll cook another diff to improve the other error cases.

> Instead of recomputing those header fields, we can use the fields
> from the underlying file when generating the extended header record.

That has the nice property to have error checking for those fields in
a single place.  ok jca@

-- 
jca