Ubuntu alert USN-8139-1 (rust-cargo-c)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8139-1] cargo-c vulnerability | |
| Date: | Wed, 01 Apr 2026 15:23:21 +0000 | |
| Message-ID: | <E1w7xPd-0002cl-Ks@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-8139-1 April 01, 2026 rust-cargo-c vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 Summary: cargo-c could be made to modify permissions on arbitrary directories. Software Description: - rust-cargo-c: Helper program to build and install c-like libraries Details: It was discovered that tar-rs embedded in cargo-c incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the extraction root, and possibly escalate privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 cargo-c 0.10.11-1ubuntu1.1 librust-cargo-c-dev 0.10.11-1ubuntu1.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8139-1 CVE-2026-33056 Package Information: https://launchpad.net/ubuntu/+source/rust-cargo-c/0.10.11...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmnNOFoACgkQcpJm3tlz hgHmGQ/9FLqTkVQzfF1tQ0S8ZtA6sEsF0cQOjzTgZXQlJ8Lko49K/VU9aSwgm7nI OG006D8v/pYAtl2atS5LUFLj6SIFkJ/Bge9EvwBmBSnu1OqMdYCqQ2rK9SqUukD6 wVSPH4MTnR2W/lSBG2a/z4QGPamzYbRlmCiBQ+i5W7sIFmR6dm4k05duNaH0K1Ww PcnGCdJR2UGOb8Ywnkw1iPZcjbaLuZFOUMl9CTk4UWKtR/PoXRIh/M/OglplmthE fExyySZzMdGEGLQ2pLr2a3IggEMMoIF2gii1pnk3sQJG4/vnAyKniI88pIbC7wD+ 4BYT8qBo619zwwqD7u6VkUyoCUZMz7FrLRx2HyzyZmJfGsVeC63/pr7Uu2H98Z8v Ahz/6BDn8YQRETFwcJze1ykLkM9ZFaEmCC8wxs5AsMbI6QdSGirmX2xVUjDOrIVq iacbF/+kGjkunxFOzOsv1pBu9PKMM+rUFv74RRIvq7DknLg4q0LBcClUDfZIpCkL ciBkAjGzHS1W/yIdx5Y3feXmYcqZx9GEdYmwG2vH/pgTbSQmxBJ/rvZcFv4KrkQj OYjJzOihuWR/ydo/m5vnf22gLhkSGxZeT3g+1C1Cx4XX5v7t7Mz5+7DdvJKOBXGP C6i6sEOEcJz4v6XbFBIhSww0dG7NyTFIlqp/wSWYXxkYf+2eImw= =cBom -----END PGP SIGNATURE-----