GHSA-fp55-jw48-c537

ADVISORY - github

Summary

Impact

Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.

See GHSA-j5gw-2vrg-8fgx for a similar desynchronization bug in astral-tokio-tar.

Patches

Versions 0.6.1 and newer of astral-tokio-tar address this differential.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

There is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.

Resources

GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug

Attribution

Reporter: Adam Harvey (@lawngnome)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-20⁠

Improper Input Validation

CWE-843⁠

Access of Resource Using Incompatible Type ('Type Confusion')

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.