#1135225 rust-tar: CVE-2026-33055

Package:
src:rustc
Source:
src:rustc
Submitter:
Salvatore Bonaccorso
Date:
2026-04-29 16:49:04 UTC
Severity:
normal
Tags:
#1135225#5
Date:
2026-03-21 18:43:53 UTC
From:
To:
Hi,

The following vulnerability was published for rust-tar.

CVE-2026-33055[0]:
| tar-rs is a tar archive reading/writing library for Rust. Versions
| 0.4.44 and below have conditional logic that skips the PAX size
| header in cases where the base header size is nonzero. As part of
| CVE-2025-62518, the astral-tokio-tar project was changed to
| correctly honor PAX size headers in the case where it was different
| from the base header. This is almost the inverse of the astral-
| tokio-tar issue. Any discrepancy in how tar parsers honor file size
| can be used to create archives that appear differently when unpacked
| by different archivers. In this case, the tar-rs (Rust tar) crate is
| an outlier in checking for the header size - other tar parsers
| (including e.g. Go archive/tar) unconditionally use the PAX size
| override. This can affect anything that uses the tar crate to parse
| archives and expects to have a consistent view with other parsers.
| This issue has been fixed in version 0.4.45.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-33055
https://www.cve.org/CVERecord?id=CVE-2026-33055
[1] https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
[2] https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1135225#10
Date:
2026-03-23 08:48:58 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
rust-tar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1131480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Grünbichler <debian@fabian.gruenbichler.email> (supplier of updated rust-tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 23 Mar 2026 09:41:02 +0100
Source: rust-tar
Architecture: source
Version: 0.4.45-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
Changed-By: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Closes: 1131480 1131481
Changes:
 rust-tar (0.4.45-1) unstable; urgency=medium
 .
   * Team upload.
   * Package tar 0.4.45 from crates.io using debcargo 2.8.1
   * Fixes CVE-2026-33055 (Closes: #1131480)
   * Fixes CVE-2026-33056 (Closes: #1131481)
Checksums-Sha1:
 d0ef63743c84adf971b7202ff207074823dc2968 2650 rust-tar_0.4.45-1.dsc
 3c702414cdcd35b3b13cc85c227ca2c4563e3ac4 67847 rust-tar_0.4.45.orig.tar.gz
 01786c28c5633817aab4b2a13bbcb90f432f12c4 6032 rust-tar_0.4.45-1.debian.tar.xz
 f6f398f9537a2ceb41bd0a374a4db65304491926 7902 rust-tar_0.4.45-1_source.buildinfo
Checksums-Sha256:
 1148522989fc5e250612a30f1a100a0cbc89fe204f1366eb59e3e5a90e40cde3 2650 rust-tar_0.4.45-1.dsc
 22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973 67847 rust-tar_0.4.45.orig.tar.gz
 6de25884353506a3bad99240424ef8d9b841c3e27a362e2614ee57083975828f 6032 rust-tar_0.4.45-1.debian.tar.xz
 1877ef1fc93c8807f2168cbf409c5d3a89f371fa768b52efbd605526892d7649 7902 rust-tar_0.4.45-1_source.buildinfo
Files:
 51869e884f615f5bbfe0052f3c57811e 2650 rust optional rust-tar_0.4.45-1.dsc
 8d500140bfe19ea0e8392e9f2ed2cd7c 67847 rust optional rust-tar_0.4.45.orig.tar.gz
 f659687f8f9f8e9c9ee1b3b32a7a724b 6032 rust optional rust-tar_0.4.45-1.debian.tar.xz
 75f977add2657d1766315ec179d7c6e9 7902 rust optional rust-tar_0.4.45-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJVBAEBCgA/FiEEbdkGe7ToK0Amc9ppdh5TKjcTRTAFAmnA/KchHGRlYmlhbkBm
YWJpYW4uZ3J1ZW5iaWNobGVyLmVtYWlsAAoJEHYeUyo3E0Uw45gQAKSRylnn9dvp
Lkv8QblMOc83wvjkFoIrUszK9/gomgEMkdQC+0bX6tfLTU57G5g2wAOXwpxeXLGm
5gGzmzNBLbjok5lBCMwWinLZXUROC/Q+Gf6CEnbnUlN+VF3tfFSCnJ36cXT0kpFz
/KH/IlsABKuN/CHZ/8uYFwzh7/w5ABcTPirM2MmNAR+xQNIa2+9zsh+ylVhKgSZn
iZa66+uQlUGivdGW++M7ciWjzp0NFfbN9jCqerhd4qLQ5dveeTZpyTwceNYA92Dq
MaWai9fB/pZvY7B6VBcDydy6K2QXkLQK5Zx8wrjGNFT7wiKTW1+GF/Fqkf8kgopI
SiJxH0C3YwNjNYKpw51RhXasNA93z8vPHWmSYkMl3KCu//IyyCJKY2kogTj4+XuL
w+2RyFjORrg5tR5wdI2O/fMyW568jKCRH/OrMj6OMfX8nIDMTEP7x9SGGFQefGjF
nBKXX9KPQyZNUN72WQ8szugFaPKbTje7drbrekQl2eI2xBVmKoQwOlT+Y5ufv0/B
sqJhcYtRyEVk7yFnBgrb1O7xDbizQB/0adtFx7BfVNKoFlC4CwDOHaw5gTgjvZfB
Bg04RerPFjeunLtJu7Y/rVuG7t4Pv4X4VIOpzhdj0Kh1CdFw8FpOuhiXS/LAWzp2
q6BUoy7nSJk3d79BjTPyIxrYNQ08iv99
=9P+G
-----END PGP SIGNATURE-----