unpack_in can chmod arbitrary directories by following symlinks
In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could
inadvertently modify the permissions of external (i.e. non-archive) directories
outside of the archive. An attacker could use this to contrite a tar archive
that maliciously changes directory permissions outside of its intended
hierarchy. This flaw only affects directories; individual file permissions
cannot be modified via it.
See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.
See advisory page for additional details.
astral-tokio-tar0.6.0>=0.6.1In versions 0.6.0 and earlier of astral-tokio-tar, the unpack_in API could
inadvertently modify the permissions of external (i.e. non-archive) directories
outside of the archive. An attacker could use this to contrite a tar archive
that maliciously changes directory permissions outside of its intended
hierarchy. This flaw only affects directories; individual file permissions
cannot be modified via it.
See GHSA-j4xf-2g29-59ph for the equivalent flaw in the tar crate.
See advisory page for additional details.