Описание
astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | needs-triage | |
| jammy | DNE | |
| noble | DNE | |
| plucky | ignored | end of life, was needs-triage |
| questing | needs-triage | |
| upstream | released | 0.5.6-1 |
Показывать по
Ссылки на источники
8.1 High
CVSS3
Связанные уязвимости
astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
astral-tokio-tar is a tar archive reading/writing library for async Ru ...
astral-tokio-tar Vulnerable to PAX Header Desynchronization
Уязвимость библиотеки для чтения/записи tar-архивов astral-tokio-tar, связанная с ошибками преобразования типов данных, позволяющая нарушителю выполнить произвольный код
8.1 High
CVSS3