Approved changes feed: RSS · Atom

cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:rust:*:*

part: a version: * update: *

VendorAlexcrichton (6bda43a3-847c-553b-a0c2-338b240cf556)
ProductTar Rs (fc3803fc-266c-57f4-89a4-d078f3c4ebec)
Edition*
Language*
Software edition*
Target softwarerust
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/alexcrichton/tar-rs purl2cpe 2026-06-01 10:13:20.713176

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-33055 vulnerable 2026-06-08 07:57:18.521175 tar-rs incorrectly ignores PAX size headers if header size is nonzero
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.
Published: 2026-03-20T07:06:08.390Z
Updated: 2026-03-20T15:44:15.706Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.