|
|
Log in / Subscribe / Register

Ubuntu alert USN-8138-1 (rust-tar)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8138-1] tar-rs vulnerability


Date:
              Wed, 01 Apr 2026 15:23:19 +0000


Message-ID:
              <E1w7xPb-0002cD-2q@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8138-1
April 01, 2026

rust-tar vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

tar-rs could be made to modify permissions on arbitrary directories.

Software Description:
- rust-tar: A tar archive reading/writing library for Rust

Details:

It was discovered that tar-rs incorrectly handled symlinks when unpacking a
tar archive. If a user or automated system were tricked into processing a
specially crafted tar archive, a remote attacker could use this issue to
modify permissions of arbitrary directories outside the extraction root,
and possibly escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  librust-tar-dev                 0.4.43-4ubuntu0.1

Ubuntu 24.04 LTS
  librust-tar-dev                 0.4.40-1ubuntu0.1

Ubuntu 22.04 LTS
  librust-tar+default-dev         0.4.37-3ubuntu0.1
  librust-tar-dev                 0.4.37-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8138-1
  CVE-2026-33056

Package Information:
  https://launchpad.net/ubuntu/+source/rust-tar/0.4.43-4ubu...
  https://launchpad.net/ubuntu/+source/rust-tar/0.4.40-1ubu...
  https://launchpad.net/ubuntu/+source/rust-tar/0.4.37-3ubu...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmnNOFIACgkQcpJm3tlz
hgFARBAAzk28dv0nOcBRJeuP66stULkKd012F8FwbcHwqtdfeiSobqCMcZwJnMMc
t2iGYmFKQDBFQdFvcun/d3ugFNLx7gwLzt6I3RxZDCV5ZVDwitPjkirwgWb4iMSO
UUN1MGMvPDOwndzWKckALClSHWnZG4MUf6sLL+z3EfLHAHGW8pfjZOns8CFleJfQ
3sBzVpMRAXiWvvPZPLxjFlH23kPRv9erAaxjNrTYxIqdwKk+xATIWSJYMU4YmmI1
QIcKhpTabL36G0ttZv0nTZCK7mloEfXRFc9LHtszrOxDL3FVWgVyu9VSydwyory+
wmIKcSH3qxR5UD5RAGCmcCiOlJPbaHDAl0/m9fnRfpulJ4+h1p5ijZoFU23rLuD+
YWyGtDR7YOuA4ovzwzTx2rDBSUbOtVLKhCngfwiuMuD5fi8NtOTZwLFBtXm1I7m6
9l7Jrs6uGU+8atDWLQWSpJ1sXIlG+b7jmvEAn378eV8zdZ5qgUfU+pO5Y/q7ekK2
BqsU2Ox/FVWQg+4e9DLtioME6QgV1obq1j+DsSbqAHhbkuV9rhRJ2NenonkpKI3S
3tV90maxz2Y2i+tkbPEI3os0/H3zoB6G2Qi+OaFGFka+Vf3/6UgFtL38eU0j3dvK
JT2PBqzKTonEmQrE4ctJ2kTre7lRv6soAzNuFxr32iPm/6bi4is=
=CDQG
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds