fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The
fstream.DirWriter() function is vulnerable.
Upgrade to version 1.0.12 or later.