RUSTSEC-2026-0066: Insufficient validation of PAX extensions during extraction #276
Description
Insufficient validation of PAX extensions during extraction
| Details | |
|---|---|
| Package | astral-tokio-tar |
| Version | 0.5.6 |
| Date | 2026-03-17 |
| Patched versions | >=0.6.0 |
In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions
were silently skipped when parsing tar archives. This silent skipping (rather
than rejection) of invalid PAX extensions could be used as a building block for
a parser differential, for example by silently skipping a malformed GNU "long
link" extension so that a subsequent parser would misinterpret the extension.
In practice, exploiting this behavior in astral-tokio-tar requires a secondary
misbehaving tar parser, i.e. one that insufficiently validates malformed PAX
extensions and interprets them rather than skipping or erroring on them. This
vulnerability is considered low-severity as it requires a separate
vulnerability against any unrelated tar parser.
This issue has been fixed in version 0.6.0.
See advisory page for additional details.