RUSTSEC-2026-0068: tar-rs incorrectly ignores PAX size headers if header size is nonzero #251
Description
tar-rs incorrectly ignores PAX size headers if header size is nonzero
| Details | |
|---|---|
| Package | tar |
| Version | 0.4.44 |
| Date | 2026-03-19 |
| Patched versions | >=0.4.45 |
Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX
size header in cases where the base header size is nonzero.
As part of CVE-2025-62518, the astral-tokio-tar
project was changed to correctly honor PAX size headers in the case where it
was different from the base header. This is almost the inverse of the
astral-tokio-tar issue.
Any discrepancy in how tar parsers honor file size can be used to create
archives that appear differently when unpacked by different archivers. In this
case, the tar-rs (Rust tar) crate is an outlier in checking for the header size
— other tar parsers (including e.g. Go archive/tar) unconditionally
use the PAX size override. This can affect anything that uses the tar crate to
parse archives and expects to have a consistent view with other parsers.
This issue has been fixed in version 0.4.45.
See advisory page for additional details.