Your message dated Mon, 23 Mar 2026 08:48:58 +0000
with message-id <[email protected]>
and subject line Bug#1131480: fixed in rust-tar 0.4.45-1
has caused the Debian Bug report #1131480,
regarding rust-tar: CVE-2026-33055
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131480
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-tar
Version: 0.4.44-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-tar.
CVE-2026-33055[0]:
| tar-rs is a tar archive reading/writing library for Rust. Versions
| 0.4.44 and below have conditional logic that skips the PAX size
| header in cases where the base header size is nonzero. As part of
| CVE-2025-62518, the astral-tokio-tar project was changed to
| correctly honor PAX size headers in the case where it was different
| from the base header. This is almost the inverse of the astral-
| tokio-tar issue. Any discrepancy in how tar parsers honor file size
| can be used to create archives that appear differently when unpacked
| by different archivers. In this case, the tar-rs (Rust tar) crate is
| an outlier in checking for the header size - other tar parsers
| (including e.g. Go archive/tar) unconditionally use the PAX size
| override. This can affect anything that uses the tar crate to parse
| archives and expects to have a consistent view with other parsers.
| This issue has been fixed in version 0.4.45.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33055
https://www.cve.org/CVERecord?id=CVE-2026-33055
[1]
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
[2]
https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-tar
Source-Version: 0.4.45-1
Done: Fabian Grünbichler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Grünbichler <[email protected]> (supplier of updated
rust-tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Mar 2026 09:41:02 +0100
Source: rust-tar
Architecture: source
Version: 0.4.45-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Fabian Grünbichler <[email protected]>
Closes: 1131480 1131481
Changes:
rust-tar (0.4.45-1) unstable; urgency=medium
.
* Team upload.
* Package tar 0.4.45 from crates.io using debcargo 2.8.1
* Fixes CVE-2026-33055 (Closes: #1131480)
* Fixes CVE-2026-33056 (Closes: #1131481)
Checksums-Sha1:
d0ef63743c84adf971b7202ff207074823dc2968 2650 rust-tar_0.4.45-1.dsc
3c702414cdcd35b3b13cc85c227ca2c4563e3ac4 67847 rust-tar_0.4.45.orig.tar.gz
01786c28c5633817aab4b2a13bbcb90f432f12c4 6032 rust-tar_0.4.45-1.debian.tar.xz
f6f398f9537a2ceb41bd0a374a4db65304491926 7902
rust-tar_0.4.45-1_source.buildinfo
Checksums-Sha256:
1148522989fc5e250612a30f1a100a0cbc89fe204f1366eb59e3e5a90e40cde3 2650
rust-tar_0.4.45-1.dsc
22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973 67847
rust-tar_0.4.45.orig.tar.gz
6de25884353506a3bad99240424ef8d9b841c3e27a362e2614ee57083975828f 6032
rust-tar_0.4.45-1.debian.tar.xz
1877ef1fc93c8807f2168cbf409c5d3a89f371fa768b52efbd605526892d7649 7902
rust-tar_0.4.45-1_source.buildinfo
Files:
51869e884f615f5bbfe0052f3c57811e 2650 rust optional rust-tar_0.4.45-1.dsc
8d500140bfe19ea0e8392e9f2ed2cd7c 67847 rust optional
rust-tar_0.4.45.orig.tar.gz
f659687f8f9f8e9c9ee1b3b32a7a724b 6032 rust optional
rust-tar_0.4.45-1.debian.tar.xz
75f977add2657d1766315ec179d7c6e9 7902 rust optional
rust-tar_0.4.45-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJVBAEBCgA/FiEEbdkGe7ToK0Amc9ppdh5TKjcTRTAFAmnA/KchHGRlYmlhbkBm
YWJpYW4uZ3J1ZW5iaWNobGVyLmVtYWlsAAoJEHYeUyo3E0Uw45gQAKSRylnn9dvp
Lkv8QblMOc83wvjkFoIrUszK9/gomgEMkdQC+0bX6tfLTU57G5g2wAOXwpxeXLGm
5gGzmzNBLbjok5lBCMwWinLZXUROC/Q+Gf6CEnbnUlN+VF3tfFSCnJ36cXT0kpFz
/KH/IlsABKuN/CHZ/8uYFwzh7/w5ABcTPirM2MmNAR+xQNIa2+9zsh+ylVhKgSZn
iZa66+uQlUGivdGW++M7ciWjzp0NFfbN9jCqerhd4qLQ5dveeTZpyTwceNYA92Dq
MaWai9fB/pZvY7B6VBcDydy6K2QXkLQK5Zx8wrjGNFT7wiKTW1+GF/Fqkf8kgopI
SiJxH0C3YwNjNYKpw51RhXasNA93z8vPHWmSYkMl3KCu//IyyCJKY2kogTj4+XuL
w+2RyFjORrg5tR5wdI2O/fMyW568jKCRH/OrMj6OMfX8nIDMTEP7x9SGGFQefGjF
nBKXX9KPQyZNUN72WQ8szugFaPKbTje7drbrekQl2eI2xBVmKoQwOlT+Y5ufv0/B
sqJhcYtRyEVk7yFnBgrb1O7xDbizQB/0adtFx7BfVNKoFlC4CwDOHaw5gTgjvZfB
Bg04RerPFjeunLtJu7Y/rVuG7t4Pv4X4VIOpzhdj0Kh1CdFw8FpOuhiXS/LAWzp2
q6BUoy7nSJk3d79BjTPyIxrYNQ08iv99
=9P+G
-----END PGP SIGNATURE-----
pgpXslj5yQpjD.pgp
Description: PGP signature
--- End Message ---
