GNU Tar Hostile Destination Path Vulnerability
GNU tar contains a vulnerability in the handling of pathnames for archived files.
By specifying a path for an archived item that points outside the expected directory scope, an attacker can cause the file to be extracted to arbitrary locations on the filesystem, including paths containing system binaries and other sensitive or confidential information.
By default, tar will overwrite existing files without warning the user. Since tar can override umask settings, the output file can be rendered executable.
An attacker can exploit this issue to create or overwrite binaries in any desired location. The attacker may be able to elevate privileges, potentially to 'root'.
Versions prior to GNU Tar 1.13.19 are affected.