Source: rust-astral-tokio-tar Version: 0.5.6-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rust-astral-tokio-tar. CVE-2026-32766[0]: | astral-tokio-tar is a tar archive reading/writing library for async | Rust. In versions 0.5.6 and earlier, malformed PAX extensions were | silently skipped when parsing tar archives. This silent skipping | (rather than rejection) of invalid PAX extensions could be used as a | building block for a parser differential, for example by silently | skipping a malformed GNU “long link” extension so that a subsequent | parser would misinterpret the extension. In practice, exploiting | this behavior in astral-tokio-tar requires a secondary misbehaving | tar parser, i.e. one that insufficiently validates malformed PAX | extensions and interprets them rather than skipping or erroring on | them. This vulnerability is considered low-severity as it requires a | separate vulnerability against any unrelated tar parser. This issue | has been fixed in version 0.6.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-32766 https://www.cve.org/CVERecord?id=CVE-2026-32766 [1] https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54 [2] https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
