- Reported
-
- Issued
-
- Package
-
tar
(crates.io)
- Type
-
Vulnerability
- Keywords
-
#tar
- Aliases
-
- CVSS Score
- 5.1
MEDIUM
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- None
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- Active
- Availability Impact to the Vulnerable System
- None
- Confidentiality Impact to the Vulnerable System
- Low
- Integrity Impact to the Vulnerable System
- Low
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- Patched
-
Description
Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX
size header in cases where the base header size is nonzero.
As part of CVE-2025-62518, the astral-tokio-tar
project was changed to correctly honor PAX size headers in the case where it
was different from the base header. This is almost the inverse of the
astral-tokio-tar issue.
Any discrepancy in how tar parsers honor file size can be used to create
archives that appear differently when unpacked by different archivers. In this
case, the tar-rs (Rust tar) crate is an outlier in checking for the header size
— other tar parsers (including e.g. Go archive/tar) unconditionally
use the PAX size override. This can affect anything that uses the tar crate to
parse archives and expects to have a consistent view with other parsers.
This issue has been fixed in version 0.4.45.
Advisory available under CC0-1.0
license.