Your message dated Mon, 23 Mar 2026 08:48:58 +0000
with message-id <[email protected]>
and subject line Bug#1131481: fixed in rust-tar 0.4.45-1
has caused the Debian Bug report #1131481,
regarding rust-tar: CVE-2026-33056
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131481: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131481
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-tar
Version: 0.4.44-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-tar.
CVE-2026-33056[0]:
| tar-rs is a tar archive reading/writing library for Rust. In
| versions 0.4.44 and below, when unpacking a tar archive, the tar
| crate's unpack_dir function uses fs::metadata() to check whether a
| path that already exists is a directory. Because fs::metadata()
| follows symbolic links, a crafted tarball containing a symlink entry
| followed by a directory entry with the same name causes the crate to
| treat the symlink target as a valid existing directory — and
| subsequently apply chmod to it. This allows an attacker to modify
| the permissions of arbitrary directories outside the extraction
| root. This issue has been fixed in version 0.4.45.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33056
https://www.cve.org/CVERecord?id=CVE-2026-33056
[1]
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
[2]
https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-tar
Source-Version: 0.4.45-1
Done: Fabian Grünbichler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Grünbichler <[email protected]> (supplier of updated
rust-tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Mar 2026 09:41:02 +0100
Source: rust-tar
Architecture: source
Version: 0.4.45-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Fabian Grünbichler <[email protected]>
Closes: 1131480 1131481
Changes:
rust-tar (0.4.45-1) unstable; urgency=medium
.
* Team upload.
* Package tar 0.4.45 from crates.io using debcargo 2.8.1
* Fixes CVE-2026-33055 (Closes: #1131480)
* Fixes CVE-2026-33056 (Closes: #1131481)
Checksums-Sha1:
d0ef63743c84adf971b7202ff207074823dc2968 2650 rust-tar_0.4.45-1.dsc
3c702414cdcd35b3b13cc85c227ca2c4563e3ac4 67847 rust-tar_0.4.45.orig.tar.gz
01786c28c5633817aab4b2a13bbcb90f432f12c4 6032 rust-tar_0.4.45-1.debian.tar.xz
f6f398f9537a2ceb41bd0a374a4db65304491926 7902
rust-tar_0.4.45-1_source.buildinfo
Checksums-Sha256:
1148522989fc5e250612a30f1a100a0cbc89fe204f1366eb59e3e5a90e40cde3 2650
rust-tar_0.4.45-1.dsc
22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973 67847
rust-tar_0.4.45.orig.tar.gz
6de25884353506a3bad99240424ef8d9b841c3e27a362e2614ee57083975828f 6032
rust-tar_0.4.45-1.debian.tar.xz
1877ef1fc93c8807f2168cbf409c5d3a89f371fa768b52efbd605526892d7649 7902
rust-tar_0.4.45-1_source.buildinfo
Files:
51869e884f615f5bbfe0052f3c57811e 2650 rust optional rust-tar_0.4.45-1.dsc
8d500140bfe19ea0e8392e9f2ed2cd7c 67847 rust optional
rust-tar_0.4.45.orig.tar.gz
f659687f8f9f8e9c9ee1b3b32a7a724b 6032 rust optional
rust-tar_0.4.45-1.debian.tar.xz
75f977add2657d1766315ec179d7c6e9 7902 rust optional
rust-tar_0.4.45-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJVBAEBCgA/FiEEbdkGe7ToK0Amc9ppdh5TKjcTRTAFAmnA/KchHGRlYmlhbkBm
YWJpYW4uZ3J1ZW5iaWNobGVyLmVtYWlsAAoJEHYeUyo3E0Uw45gQAKSRylnn9dvp
Lkv8QblMOc83wvjkFoIrUszK9/gomgEMkdQC+0bX6tfLTU57G5g2wAOXwpxeXLGm
5gGzmzNBLbjok5lBCMwWinLZXUROC/Q+Gf6CEnbnUlN+VF3tfFSCnJ36cXT0kpFz
/KH/IlsABKuN/CHZ/8uYFwzh7/w5ABcTPirM2MmNAR+xQNIa2+9zsh+ylVhKgSZn
iZa66+uQlUGivdGW++M7ciWjzp0NFfbN9jCqerhd4qLQ5dveeTZpyTwceNYA92Dq
MaWai9fB/pZvY7B6VBcDydy6K2QXkLQK5Zx8wrjGNFT7wiKTW1+GF/Fqkf8kgopI
SiJxH0C3YwNjNYKpw51RhXasNA93z8vPHWmSYkMl3KCu//IyyCJKY2kogTj4+XuL
w+2RyFjORrg5tR5wdI2O/fMyW568jKCRH/OrMj6OMfX8nIDMTEP7x9SGGFQefGjF
nBKXX9KPQyZNUN72WQ8szugFaPKbTje7drbrekQl2eI2xBVmKoQwOlT+Y5ufv0/B
sqJhcYtRyEVk7yFnBgrb1O7xDbizQB/0adtFx7BfVNKoFlC4CwDOHaw5gTgjvZfB
Bg04RerPFjeunLtJu7Y/rVuG7t4Pv4X4VIOpzhdj0Kh1CdFw8FpOuhiXS/LAWzp2
q6BUoy7nSJk3d79BjTPyIxrYNQ08iv99
=9P+G
-----END PGP SIGNATURE-----
pgpCOEWA3QeTi.pgp
Description: PGP signature
--- End Message ---
