SB2026042866 - Multiple vulnerabilities in tar-rs

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2026-33055)

The vulnerability allows a remote attacker to smuggle unexpected archive entries past validation checks.

The vulnerability exists due to improper input validation in the tar archive parser when processing tar archives with conflicting PAX size headers and base header sizes. A remote attacker can supply a specially crafted archive to smuggle unexpected archive entries past validation checks.

The issue can cause tar-rs to produce a different view of archive contents than other tar parsers, including cases where a symlink entry is seen by tar-rs but skipped by another parser.

2) UNIX symbolic link following (CVE-ID: CVE-2026-33056)

The vulnerability allows a remote attacker to modify permissions of arbitrary directories outside the extraction root.

The vulnerability exists due to symlink following in unpack_dir when unpacking a crafted tar archive. A remote attacker can supply a tarball containing a symlink entry followed by a directory entry with the same name to modify permissions of arbitrary directories outside the extraction root.

Remediation

Install update from vendor's website.

References

• https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
• https://github.com/advisories/GHSA-gchp-q4r4-x4ff
• https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
• https://github.com/advisories/GHSA-j4xf-2g29-59ph