- Reported
-
- Issued
-
- Package
-
astral-tokio-tar
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#parser-differential
#smuggling
- Aliases
-
- References
-
- Patched
-
Description
Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation
bug that allows manipulated entries to be made selectively visible or invisible
during extraction with astral-tokio-tar versus other tar implementations.
An attacker could use this differential to smuggle unexpected files onto a
victim's filesystem.
Advisory available under CC0-1.0
license.