Re: GNU tar: listing/extraction desynchronization allows hidden file injection

[Collin Funk <collin.funk1 () gmail com>]

Alan Coopersmith <alan.coopersmith () oracle com> writes:

> Red Hat appears to have assigned CVE-2026-5704 to this issue.
>
> Paul Eggert provided a patch in
> https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00011.html
> which is also available in
> https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b8d8a61b25588caca4efaf9bdd2e3f1a49da77e3
>
> https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00012.html points out
> that a similar report was also included in
> https://lists.gnu.org/archive/html/bug-tar/2026-02/msg00022.html
> along with a number of other bug reports.

Not directly related to the issues in GNU tar, but one of the reports
you shared [1]. See the following text:

> I am happy to coordinate on a disclosure timeline. Please let me know
> if you need additional information or testing.

This is one of many examples I have seen lately of people writing as if
they were sending private messages on a public list. I assume it is a
common LLM hallucination?

I find it mildly annoying, especially since it is often paired with
total slop. I guess in this case it isn't a bug deal since it is
associated with an actual issue.

For a worse example, see a recent bug report in GNU coreutils claiming
that the 'printf' command allowed for remote code execution because it
allows the user the control the format string [2]. Which is made worse
by it just making up code that doesn't exist.

Collin

[1] https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00007.html
[2] https://bugs.gnu.org/80802