PAX Header Desynchronization in astral-tokio-tar
| Details |
|
| Package |
astral-tokio-tar |
| Version |
0.6.0 |
| URL |
GHSA-fp55-jw48-c537 |
| Date |
2026-04-27 |
| Patched versions |
>=0.6.1 |
Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation
bug that allows manipulated entries to be made selectively visible or invisible
during extraction with astral-tokio-tar versus other tar implementations.
An attacker could use this differential to smuggle unexpected files onto a
victim's filesystem.
See advisory page for additional details.
astral-tokio-tar0.6.0>=0.6.1Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation
bug that allows manipulated entries to be made selectively visible or invisible
during extraction with astral-tokio-tar versus other tar implementations.
An attacker could use this differential to smuggle unexpected files onto a
victim's filesystem.
See advisory page for additional details.