Your message dated Wed, 22 Oct 2025 18:53:48 +0000
with message-id <[email protected]>
and subject line Bug#1118562: fixed in rust-astral-tokio-tar 0.5.6-1
has caused the Debian Bug report #1118562,
regarding rust-astral-tokio-tar: CVE-2025-62518
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118562
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-astral-tokio-tar
Version: 0.5.5-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 0.5.2-2
Hi,
The following vulnerability was published for rust-astral-tokio-tar.
CVE-2025-62518[0]:
| astral-tokio-tar is a tar archive reading/writing library for async
| Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary
| parsing vulnerability that allows attackers to smuggle additional
| archive entries by exploiting inconsistent PAX/ustar header
| handling. When processing archives with PAX-extended headers
| containing size overrides, the parser incorrectly advances stream
| position based on ustar header size (often zero) instead of the PAX-
| specified size, causing it to interpret file content as legitimate
| tar headers. This issue has been patched in version 0.5.6. There are
| no workarounds.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-62518
https://www.cve.org/CVERecord?id=CVE-2025-62518
[1]
https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx
[2]
https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318
[3] https://edera.dev/stories/tarmageddon
[4] https://github.com/edera-dev/cve-tarmageddon
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-astral-tokio-tar
Source-Version: 0.5.6-1
Done: Fabian Grünbichler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-astral-tokio-tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Grünbichler <[email protected]> (supplier of updated
rust-astral-tokio-tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Oct 2025 20:29:36 +0200
Source: rust-astral-tokio-tar
Architecture: source
Version: 0.5.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Fabian Grünbichler <[email protected]>
Closes: 1118562
Changes:
rust-astral-tokio-tar (0.5.6-1) unstable; urgency=medium
.
* Team upload.
* Package astral-tokio-tar 0.5.6 from crates.io using debcargo 2.7.11
- Drop default RRR³ "no" value
- Update d/watch to uscan v5
* Closes: #1118562 / CVE-2025-62518
Checksums-Sha1:
ea9eb2dac0c32c9eb4ba45b28a8d41dd84434466 2901 rust-astral-tokio-tar_0.5.6-1.dsc
efc7357ca37fdbbdb2fe89b40437de6349116eb8 64648
rust-astral-tokio-tar_0.5.6.orig.tar.gz
257c56b86b19e091e29217ab03cb3dc0667796fc 3556
rust-astral-tokio-tar_0.5.6-1.debian.tar.xz
f9650ab0fa29846f26a353a7f1a5621ffc523c77 7552
rust-astral-tokio-tar_0.5.6-1_source.buildinfo
Checksums-Sha256:
83e68246e6c7224f8b766ff89d2392cde961821522268f8529bce08d4f68421f 2901
rust-astral-tokio-tar_0.5.6-1.dsc
ec179a06c1769b1e42e1e2cbe74c7dcdb3d6383c838454d063eaac5bbb7ebbe5 64648
rust-astral-tokio-tar_0.5.6.orig.tar.gz
e8c01eeb765f2ad5a4b92c7bf0e67a64c7a5b1855f265ca59c36f75f9efbac4a 3556
rust-astral-tokio-tar_0.5.6-1.debian.tar.xz
4f81a2ea6ed59311209fc028ae6c060dc95e2eef6b57f8895bc14a1202e29e92 7552
rust-astral-tokio-tar_0.5.6-1_source.buildinfo
Files:
06358f7a9f4aa7e5446c96c27be6673c 2901 rust optional
rust-astral-tokio-tar_0.5.6-1.dsc
4a6d1f8510c523e19791ab1cc57035af 64648 rust optional
rust-astral-tokio-tar_0.5.6.orig.tar.gz
f00493968cc21748478a148f4690864e 3556 rust optional
rust-astral-tokio-tar_0.5.6-1.debian.tar.xz
ec8eba338483b8bc92e74c4f7177d83d 7552 rust optional
rust-astral-tokio-tar_0.5.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJVBAEBCgA/FiEEbdkGe7ToK0Amc9ppdh5TKjcTRTAFAmj5IpQhHGRlYmlhbkBm
YWJpYW4uZ3J1ZW5iaWNobGVyLmVtYWlsAAoJEHYeUyo3E0UwDRMP/2/IO3L078m7
e5shdAHJZ2is1VECo/c1u7UJUQBZVUPA0u3Vl4Ih9xrQIsHEsibAw5kMec2P2FJI
k3GriDZ4vVa1VosX+/XY1FY2m/dxDSt6smAz9+ERYUlZcekpw706ZCRxKJ70Qslu
uVr91m7gC8UysaZ+sQmledfCvDJOktGu8gudptvtpJAzZxSKYIZt3ofFzzLAubEN
zaMUOQtz5TGhB5wdSbo+NEaL3+xzVOj81Yg3sbjBP78iMfRiBlt2JPe8Qs4zDZke
SHfliGHFhU7EI5g6otDGajc++g086XMT2EB4g3VrULNSZI7vowrnshE1F40nrx/X
m/fwKZvVurMZpbHhGINmGqefyCrNCq9lzkUF6W15ZeFXOR2NgGH/+/cifkn4rLwg
jz1Tu1eQOgx4VNt45zQVqBsLJ1+LPO3PiC9Jbq5yHPc98FVMp3v4fb2szkxbgp6I
9D0gPd9LJVyeEI7Lmj5+SpAvgZrcj+u9tMyziM9EOr0gVmStpay4fNDTM47Puz2g
0XHzjaOO4u5UsGCAkFN7NQLzqaGS2pTX31MWb4XXZX1D5Z94EG0pOXvVjIjoz+p4
cT8GF/mnYz98c3vBLqnjVBQcBvPQjAiOZUBEYBcKJRd0PpYHm4gzGi6cfTMY7EEM
miXupphi6WT2eaT9pixAvk2Qt8s83Sn8
=XUeO
-----END PGP SIGNATURE-----
pgpSH9Q8Zc8Op.pgp
Description: PGP signature
--- End Message ---
