Source: rust-astral-tokio-tar Version: 0.5.5-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 0.5.2-2
Hi, The following vulnerability was published for rust-astral-tokio-tar. CVE-2025-62518[0]: | astral-tokio-tar is a tar archive reading/writing library for async | Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary | parsing vulnerability that allows attackers to smuggle additional | archive entries by exploiting inconsistent PAX/ustar header | handling. When processing archives with PAX-extended headers | containing size overrides, the parser incorrectly advances stream | position based on ustar header size (often zero) instead of the PAX- | specified size, causing it to interpret file content as legitimate | tar headers. This issue has been patched in version 0.5.6. There are | no workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-62518 https://www.cve.org/CVERecord?id=CVE-2025-62518 [1] https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx [2] https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318 [3] https://edera.dev/stories/tarmageddon [4] https://github.com/edera-dev/cve-tarmageddon Regards, Salvatore
