Source: rust-tar Version: 0.4.44-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rust-tar. CVE-2026-33056[0]: | tar-rs is a tar archive reading/writing library for Rust. In | versions 0.4.44 and below, when unpacking a tar archive, the tar | crate's unpack_dir function uses fs::metadata() to check whether a | path that already exists is a directory. Because fs::metadata() | follows symbolic links, a crafted tarball containing a symlink entry | followed by a directory entry with the same name causes the crate to | treat the symlink target as a valid existing directory — and | subsequently apply chmod to it. This allows an attacker to modify | the permissions of arbitrary directories outside the extraction | root. This issue has been fixed in version 0.4.45. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33056 https://www.cve.org/CVERecord?id=CVE-2026-33056 [1] https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph [2] https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
