[Pkg-rust-maintainers] Bug#1116337: rust-astral-tokio-tar: CVE-2025-59825
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 25 19:58:34 BST 2025
Source: rust-astral-tokio-tar
Version: 0.5.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for rust-astral-tokio-tar.
CVE-2025-59825[0]:
| astral-tokio-tar is a tar archive reading/writing library for async
| Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar
| archives may extract outside of their intended destination directory
| when using the Entry::unpack_in_raw API. Additionally, the
| Entry::allow_external_symlinks control (which defaults to true)
| could be bypassed via a pair of symlinks that individually point
| within the destination but combine to point outside of it. These
| behaviors could be used individually or combined to bypass the
| intended security control of limiting extraction to the given
| directory. This in turn would allow an attacker with a malicious tar
| archive to perform an arbitrary file write and potentially pivot
| into code execution. This issue has been patched in version 0.5.4.
| There is no workaround other than upgrading.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59825
https://www.cve.org/CVERecord?id=CVE-2025-59825
[1] https://github.com/advisories/GHSA-3wgq-wrwc-vqmv
[2] https://github.com/astral-sh/tokio-tar/commit/036fdecc85c52458ace92dc9e02e9cef90684e75
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list