unpack_in can chmod arbitrary directories by following symlinks
| Details |
|
| Package |
astral-tokio-tar |
| Version |
0.6.0 |
| URL |
GHSA-xx64-wwv2-hcqq |
| Date |
2026-04-27 |
| Patched versions |
>=0.6.1 |
In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could
inadvertently modify the permissions of external (i.e. non-archive) directories
outside of the archive. An attacker could use this to contrite a tar archive
that maliciously changes directory permissions outside of its intended
hierarchy. This flaw only affects directories; individual file permissions
cannot be modified via it.
See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.
See advisory page for additional details.
astral-tokio-tar0.6.0>=0.6.1In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could
inadvertently modify the permissions of external (i.e. non-archive) directories
outside of the archive. An attacker could use this to contrite a tar archive
that maliciously changes directory permissions outside of its intended
hierarchy. This flaw only affects directories; individual file permissions
cannot be modified via it.
See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.
See advisory page for additional details.