{"url":"http://public2.vulnerablecode.io/api/packages/515484?format=json","purl":"pkg:cargo/astral-tokio-tar@0.6.1","type":"cargo","namespace":"","name":"astral-tokio-tar","version":"0.6.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.6.2","latest_non_vulnerable_version":"0.6.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94717?format=json","vulnerability_id":"VCID-hwns-d6kn-kycu","summary":"astral-tokio-tar has a PAX Header Desynchronization issue\n### Impact\n\nVersions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.\n\n### Details\n\nWhen a tar stream contains multiple \"header\" entries prior to a file entry, astral-tokio-tar applies the PAX header (`x`) to the next entry in the stream, regardless of type. For example, a stream of `x -> L -> file` (PAX, GNU longname, file) would result in `x`'s extensions being applied to `L` rather than to `file`.\n\n[Per POSIX pax](https://pubs.opengroup.org/onlinepubs/9799919799/utilities/pax.html), this is incorrect: a PAX header always applies to a file entry, not any intermediary entries. See the \"pax Header Block\" section for the specific prescription there.\n\nAs a result of this, an attacker can contrive a tar containing a sequence of tar headers such that astral-tokio-tar applies the PAX header's size extension to the next header in sequence, effectively desynchronizing the stream and enabling astral-tokio-tar specific skippage/extraction of members. In other words, a file can be contrived to extract differently on astral-tokio-tar than on other tar parsers.\n\n### Patches\n\nVersions 0.6.2 and newer of astral-tokio-tar address this differential.\n\n### Workarounds\n\nUsers are advised to upgrade to version 0.6.1 or newer to address this advisory.\n\nThere is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.\n\n### Resources\n\n- GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug\n- GHSA-fp55-jw48-c537 is another similar PAX desynchronization bug","references":[{"reference_url":"https://github.com/astral-sh/tokio-tar","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/astral-sh/tokio-tar"},{"reference_url":"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-3cv2-h65g-fgmm","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-3cv2-h65g-fgmm"},{"reference_url":"https://rustsec.org/advisories/RUSTSEC-2026-0145.html","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rustsec.org/advisories/RUSTSEC-2026-0145.html"},{"reference_url":"https://github.com/advisories/GHSA-3cv2-h65g-fgmm","reference_id":"GHSA-3cv2-h65g-fgmm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cv2-h65g-fgmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515485?format=json","purl":"pkg:cargo/astral-tokio-tar@0.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/astral-tokio-tar@0.6.2"}],"aliases":["GHSA-3cv2-h65g-fgmm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hwns-d6kn-kycu"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95074?format=json","vulnerability_id":"VCID-9mw8-wkt2-vfd5","summary":"astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks\n### Impact\n\nIn versions 0.6.0 and earlier of astral-tokio-tar, the `unpack_in` API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it.\n\nSee GHSA-j4xf-2g29-59ph for the equivalent flaw in the `tar` crate.\n\n### Patches\n\nVersions 0.6.1 and newer of astral-tokio-tar use `fs::symlink_metdata` rather than `fs::metadata`, avoiding the traversal. \n\n### Workarounds\n\nUsers are advised to upgrade to version 0.6.1 or newer to address this advisory.\n\nUsers should experience no breaking changes as a result of the patch above.\n\n### Resources\n\n- GHSA-j4xf-2g29-59ph for the original `tar` vulnerability\n\n### Attribution\n\n- Reporter: Adam Harvey (@lawngnome)","references":[{"reference_url":"https://github.com/advisories/GHSA-xx64-wwv2-hcqq","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xx64-wwv2-hcqq"},{"reference_url":"https://github.com/astral-sh/tokio-tar","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/astral-sh/tokio-tar"},{"reference_url":"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-xx64-wwv2-hcqq","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-xx64-wwv2-hcqq"},{"reference_url":"https://rustsec.org/advisories/RUSTSEC-2026-0113.html","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rustsec.org/advisories/RUSTSEC-2026-0113.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515484?format=json","purl":"pkg:cargo/astral-tokio-tar@0.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hwns-d6kn-kycu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/astral-tokio-tar@0.6.1"}],"aliases":["GHSA-xx64-wwv2-hcqq"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9mw8-wkt2-vfd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92893?format=json","vulnerability_id":"VCID-yacs-7t6b-5ban","summary":"astral-tokio-tar is Vulnerable to PAX Header Desynchronization\n### Impact\n\nVersions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.\n\nSee GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar.\n\n### Patches\n\nVersions 0.6.1 and newer of astral-tokio-tar address this differential.\n\n### Workarounds\n\nUsers are advised to upgrade to version 0.6.1 or newer to address this advisory.\n\nThere is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.\n\n### Resources\n\n- GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug\n\n### Attribution\n\n- Reporter: Adam Harvey (@lawngnome)","references":[{"reference_url":"https://github.com/advisories/GHSA-fp55-jw48-c537","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fp55-jw48-c537"},{"reference_url":"https://github.com/astral-sh/tokio-tar","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/astral-sh/tokio-tar"},{"reference_url":"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-fp55-jw48-c537","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-fp55-jw48-c537"},{"reference_url":"https://rustsec.org/advisories/RUSTSEC-2026-0112.html","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rustsec.org/advisories/RUSTSEC-2026-0112.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515484?format=json","purl":"pkg:cargo/astral-tokio-tar@0.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hwns-d6kn-kycu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/astral-tokio-tar@0.6.1"}],"aliases":["GHSA-fp55-jw48-c537"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yacs-7t6b-5ban"}],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/astral-tokio-tar@0.6.1"}