VulnerableCode Package Details - pkg:apk/alpine/rust@1.83.0-r1?arch=aarch64&distroversion=v3.21&reponame=main

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-qj1y-b8m1-hyfm	tar-rs `unpack_in` can chmod arbitrary directories by following symlinks ## Summary When unpacking a tar archive, the `tar` crate's `unpack_dir` function uses `fs::metadata()` to check whether a path that already exists is a directory. Because `fs::metadata()` follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply `chmod` to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. ## Reproducer A malicious tarball contains two entries: (1) a symlink `foo` pointing to an arbitrary external directory, and (2) a directory entry `foo/.` (or just `foo`). When unpacked, `create_dir("foo")` fails with `EEXIST` because the symlink is already on disk. The `fs::metadata()` check then follows the symlink, sees a directory at the target, and allows processing to continue. The directory entry's mode bits are then applied via `chmod`, which also follows the symlink — modifying the permissions of the external target directory. ## Fix The fix is very simple, we now use `fs::symlink_metadata()` in `unpack_dir`, so symlinks are detected and rejected rather than followed. ## Credit This issue was reported by @xokdvium - thank you!	CVE-2026-33056 GHSA-j4xf-2g29-59ph

Vulnerability

Summary

Aliases

VCID-qj1y-b8m1-hyfm

tar-rs `unpack_in` can chmod arbitrary directories by following symlinks ## Summary When unpacking a tar archive, the `tar` crate's `unpack_dir` function uses `fs::metadata()` to check whether a path that already exists is a directory. Because `fs::metadata()` follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply `chmod` to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. ## Reproducer A malicious tarball contains two entries: (1) a symlink `foo` pointing to an arbitrary external directory, and (2) a directory entry `foo/.` (or just `foo`). When unpacked, `create_dir("foo")` fails with `EEXIST` because the symlink is already on disk. The `fs::metadata()` check then follows the symlink, sees a directory at the target, and allows processing to continue. The directory entry's mode bits are then applied via `chmod`, which also follows the symlink — modifying the permissions of the external target directory. ## Fix The fix is very simple, we now use `fs::symlink_metadata()` in `unpack_dir`, so symlinks are detected and rejected rather than followed. ## Credit This issue was reported by @xokdvium - thank you!

CVE-2026-33056
GHSA-j4xf-2g29-59ph

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T19:14:04.255526+00:00	Alpine Linux Importer	Fixing	VCID-qj1y-b8m1-hyfm	https://secdb.alpinelinux.org/v3.21/main.json	38.0.0

2026-04-01T19:14:04.255526+00:00

Alpine Linux Importer

Fixing

VCID-qj1y-b8m1-hyfm

https://secdb.alpinelinux.org/v3.21/main.json

38.0.0