GHSA-xx64-wwv2-hcqq

ADVISORY - github

Summary

Impact

In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could inadvertently modify the permissions of external (i.e. non-archive) directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intended hierarchy. This flaw only affects directories; individual file permissions cannot be modified via it.

See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.

Patches

Versions 0.6.1 and newer of astral-tokio-tar use fs::symlink_metdata rather than fs::metadata, avoiding the traversal.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

Users should experience no breaking changes as a result of the patch above.

Resources

GHSA-j4xf-2g29-59ph for the original tar vulnerability

Attribution

Reporter: Adam Harvey (@lawngnome)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-61⁠

UNIX Symbolic Link (Symlink) Following

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.