Ubuntu: Security Advisory (USN-8138-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-8138-2: tar-rs vulnerability

USN-8138-1 fixed a vulnerability in tar-rs. This update provides the corresponding update for Ubuntu 20.04 LTS. Original advisory details: It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a speciall...

USN-8138-2 rust-tar vulnerability

USN-8138-1 fixed a vulnerability in tar-rs. This update provides the corresponding update for Ubuntu 20.04 LTS. Original advisory details: It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a speciall...

USN-8168-2 rustc, rustc-1.76, rustc-1.77, rustc-1.78, rustc-1.79, rustc-1.80 vulnerability

USN-8168-1 fixed a vulnerability in Rust. This update provides the corresponding update to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that tar-rs embedded in rustc incorrectly handled symlinks when unpacking a tar archiv...

Amazon Linux 2 : rust, --advisory ALAS2-2026-3246 (ALAS-2026-3246)

The version of rust installed on the remote host is prior to 1.94.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3246 advisory. A flaw in the gix-date library can generate invalid non-UTF8 strings, leading to undefined behavior when processed. The most...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : Rust vulnerability (USN-8168-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8168-1 advisory. It was discovered that tar-rs embedded in rustc incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were...

USN-8168-1 rustc vulnerability

It was discovered that tar-rs embedded in rustc incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the...

Medium: rust-cargo-c

Issue Overview: tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size...

Amazon Linux 2023 : below (ALAS2023-2026-1567)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1567 advisory. tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As par...

Medium: rust

Issue Overview: A flaw in the gix-date library can generate invalid non-UTF8 strings, leading to undefined behavior when processed. The most likely impact from a successful attack is to data integrity, by the malicious data being able to corrupt data being hold in memory and to system availabilit...

PT-2026-32712

It was discovered that tar-rs embedded in rustc incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the...

Amazon Linux 2023 : cargo-c (ALAS2023-2026-1566)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1566 advisory. tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As par...

Ubuntu 25.10 : cargo-c vulnerability (USN-8139-1)

The remote Ubuntu 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8139-1 advisory. It was discovered that tar-rs embedded in cargo-c incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processin...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : tar-rs vulnerability (USN-8138-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8138-1 advisory. It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into...

Fedora 42 : bpfman (2026-b4d393799a)

"The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-b4d393799a advisory. Fix CVE-2026-33056 tar-rs 0.4.45 %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from Fedora...

Fedora: Security Advisory (FEDORA-2026-b4d393799a)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-8139-1 rust-cargo-c vulnerability

It was discovered that tar-rs embedded in cargo-c incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside th...

USN-8138-1: tar-rs vulnerability

It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the extraction root, a...

PT-2026-29964

It was discovered that tar-rs embedded in cargo-c incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside th...

CVE-2026-33055

tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the...