Martin Michaelis

**Name of the Vulnerable Software and Affected Versions** tar crate versions prior to 0.4.36 **Description** An issue was discovered in the tar crate for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal. This occurs when unpacking a tarball that contains a symlink, allowing the tar crate to create directories outside of the directory it's supposed to unpack into. The function errors when trying to create a file, but the folders are already created at this point. **Recommendations** For versions prior to 0.4.36, update to version 0.4.36 to resolve the issue. As a temporary workaround, consider avoiding the use of symlinks in TAR archives until the update is applied. Restrict access to the `unpack` function of the `Archive` class to minimize the risk of exploitation. Avoid using the `Builder` class to create TAR archives that contain symlinks until the issue is resolved.