Approved changes feed: RSS · Atom

cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAlexcrichton (6bda43a3-847c-553b-a0c2-338b240cf556)
ProductTar Rs (fc3803fc-266c-57f4-89a4-d078f3c4ebec)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/alexcrichton/tar-rs purl2cpe 2026-06-01 10:13:20.711791

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-33056 vulnerable 2026-06-08 07:57:18.521646 tar-rs: unpack_in can chmod arbitrary directories by following symlinks
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
Published: 2026-03-20T07:11:10.448Z
Updated: 2026-03-20T12:59:30.468Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33055 vulnerable 2026-06-08 07:57:18.520621 tar-rs incorrectly ignores PAX size headers if header size is nonzero
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.
Published: 2026-03-20T07:06:08.390Z
Updated: 2026-03-20T15:44:15.706Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.