`unpack_in` can chmod arbitrary directories by following symlinks

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadatafs-metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball containing a symlink entry followed by a...

EUVD-2023-27001

Malicious code in bioql PyPI...