- Reported
-
- Issued
-
- Package
-
astral-tokio-tar
(crates.io)
- Type
-
Vulnerability
- Keywords
-
#tar
- Aliases
-
- CVSS Score
- 1.7
LOW
- CVSS Details
-
- Attack Complexity
- High
- Attack Requirements
- Present
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- None
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- Low
- Exploit Maturity
- Unreported
- CVSS Vector
- CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
- Patched
-
Description
In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions
were silently skipped when parsing tar archives. This silent skipping (rather
than rejection) of invalid PAX extensions could be used as a building block for
a parser differential, for example by silently skipping a malformed GNU "long
link" extension so that a subsequent parser would misinterpret the extension.
In practice, exploiting this behavior in astral-tokio-tar requires a secondary
misbehaving tar parser, i.e. one that insufficiently validates malformed PAX
extensions and interprets them rather than skipping or erroring on them. This
vulnerability is considered low-severity as it requires a separate
vulnerability against any unrelated tar parser.
This issue has been fixed in version 0.6.0.
Advisory available under CC0-1.0
license.