RUSTSEC-2026-0067: unpack_in can chmod arbitrary directories by following symlinks #218
Description
| Details | |
|---|---|
| Package | tar |
| Version | 0.4.44 |
| URL | n/a |
| Patched Versions | >=0.4.45 |
| Aliases | CVE-2026-33056, GHSA-j4xf-2g29-59ph |
In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar
crate's unpack_dir function uses fs::metadata() to check
whether a path that already exists is a directory. Because fs::metadata()
follows symbolic links, a crafted tarball containing a symlink entry followed
by a directory entry with the same name causes the crate to treat the symlink
target as a valid existing directory — and subsequently apply chmod to it. This
allows an attacker to modify the permissions of arbitrary directories outside
the extraction root.
This issue has been fixed in version 0.4.45.