Source: rust-astral-tokio-tar Version: 0.5.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rust-astral-tokio-tar. CVE-2025-59825[0]: | astral-tokio-tar is a tar archive reading/writing library for async | Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar | archives may extract outside of their intended destination directory | when using the Entry::unpack_in_raw API. Additionally, the | Entry::allow_external_symlinks control (which defaults to true) | could be bypassed via a pair of symlinks that individually point | within the destination but combine to point outside of it. These | behaviors could be used individually or combined to bypass the | intended security control of limiting extraction to the given | directory. This in turn would allow an attacker with a malicious tar | archive to perform an arbitrary file write and potentially pivot | into code execution. This issue has been patched in version 0.5.4. | There is no workaround other than upgrading. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59825 https://www.cve.org/CVERecord?id=CVE-2025-59825 [1] https://github.com/advisories/GHSA-3wgq-wrwc-vqmv [2] https://github.com/astral-sh/tokio-tar/commit/036fdecc85c52458ace92dc9e02e9cef90684e75 Regards, Salvatore
