Update Rust crate astral-tokio-tar to v0.5.4 [SECURITY] #11968
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=80&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.
This PR contains the following updates:
=0.5.3->=0.5.4GitHub Vulnerability Alerts
GHSA-3wgq-wrwc-vqmv
Impact
In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the
Entry::unpack_in_rawAPI. Additionally, theEntry::allow_external_symlinkscontrol (which defaults totrue) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it.These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution (e.g. by overwriting a file that the user or system then executes or uses to execute code).
The impact of this vulnerability for downstream API users of this crate is high, per above. However, for this crate's main downstream user (uv), the impact of this vulnerability is low due to its overlap with equivalent user capabilities in source distributions. See GHSA-7j9j-68r2-f35q for additional details.
Patches
Versions 0.5.4 and newer of astral-tokio-tar address the vulnerability above. Users should upgrade to 0.5.4 or newer.
Workarounds
Users are advised to upgrade to version 0.5.4 or newer to address this advisory.
There is no workaround other than upgrading.
References
Release Notes
astral-sh/tokio-tar (astral-tokio-tar)
v0.5.4Compare Source
Fixed a path traversal vulnerability when using the
unpack_in_rawAPIby @charliermarsh
This vulnerability is being tracked as GHSA-3wgq-wrwc-vqmv.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.