Xokdvium

**Name of the Vulnerable Software and Affected Versions** tar-rs versions 0.4.44 and below **Description** tar-rs, a Rust library for reading and writing tar archives, contains a flaw in its handling of PAX size headers. Specifically, versions 0.4.44 and below have conditional logic that skips the PAX size header when the base header size is non-zero. This discrepancy in how tar parsers handle file sizes can be exploited to create archives that appear different when unpacked by different archivers. The tar-rs crate is an exception in checking the header size, while other tar parsers, such as Go's archive/tar, unconditionally use the PAX size override. This issue can affect any application using the tar-rs crate to parse archives and expecting consistency with other parsers. A proof-of-concept (PoC) demonstrates the potential to smuggle symlinks into the registry, bypassing security checks in certain scenarios. **Recommendations** Update to version 0.4.45 or later.

**Name of the Vulnerable Software and Affected Versions** tar-rs versions 0.4.44 and below **Description** The tar-rs crate’s `unpack dir` function uses `fs::metadata()` to verify if a path already exists as a directory during tar archive unpacking. Because `fs::metadata()` follows symbolic links, a specially crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to incorrectly treat the symlink target as a valid existing directory. This leads to the application of `chmod` to the target, allowing an attacker to modify permissions of arbitrary directories outside the extraction root. The `fs::metadata()` function follows symbolic links, which is the root cause of the issue. The fix involves using `fs::symlink metadata()` in `unpack dir` to detect and reject symlinks instead of following them. **Recommendations** Versions 0.4.44 and below should be updated to version 0.4.45 or later.

**Name of the Vulnerable Software and Affected Versions** astral-tokio-tar versions 0.5.6 and earlier **Description** astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping, instead of rejection, of invalid PAX extensions could be used to create a parser differential, for example, by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. Exploiting this behavior requires a secondary, misbehaving tar parser that insufficiently validates malformed PAX extensions and interprets them instead of skipping or erroring on them. This issue is considered low severity as it requires a separate issue against any unrelated tar parser. **Recommendations** Upgrade to version 0.6.0 or newer to address this issue.