Approved changes feed: RSS · Atom
cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:rust:*:*
part: a version: * update: *
| Vendor | Alexcrichton (6bda43a3-847c-553b-a0c2-338b240cf556) |
|---|---|
| Product | Tar Rs (fc3803fc-266c-57f4-89a4-d078f3c4ebec) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | rust |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/alexcrichton/tar-rs |
purl2cpe | 2026-06-01 10:13:20.713176 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-33055 |
vulnerable | 2026-06-08 07:57:18.521175 |
tar-rs incorrectly ignores PAX size headers if header size is nonzero
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.
Published: 2026-03-20T07:06:08.390Z
Updated: 2026-03-20T15:44:15.706Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.