Add advisory for tokio-tar PAX mis-parsing (CVE-2025-62518)

2025-12-27 01:54:07 -05:00 · 2025-10-24 23:50:43 +02:00
parent e4a6f4fd31
commit 1d04e4121d
1 changed files with 34 additions and 0 deletions
--- a/crates/tokio-tar/RUSTSEC-0000-0000.md
+++ b/crates/tokio-tar/RUSTSEC-0000-0000.md
@@ -0,0 +1,34 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "tokio-tar"
+date = "2025-10-21"
+url = "https://edera.dev/stories/tarmageddon"
+categories = ["format-injection"]
+keywords = ["unsound", "parsing", "smuggling", "file-smuggling", "unmaintained"]
+related = ["CVE-2025-62518", "GHSA-j5gw-2vrg-8fgx"]
+
+[affected.functions]
+"tokio_tar::Archive::new" = ["<= 0.3.1"]
+"tokio_tar::ArchiveBuilder::new" = ["<= 0.3.1"]
+
+[versions]
+patched = []
+```
+
+# `tokio-tar` parses PAX extended headers incorrectly, allows file smuggling
+
+The archive reader incorrectly handles PAX extended headers, when the ustar
+header incorrectly specifies zero size (`size=000000000000`), while a PAX
+header specifies a non-zero size, `tokio-tar::Archive` is going to read the
+file content as tar entry header.
+
+This can be used by a tar file to present different content to `tokio-tar`
+compared to other tar reader implementations.
+
+This bug is also known as `CVE-2025-62518` and `GHSA-j5gw-2vrg-8fgx`, as those
+crates share a common ancestor codebase.
+
+The `tokio-tar` crate is archived and no longer maintained, we recommend you
+switch to an alternative crate such as:
+- [`astral-tokio-tar`](https://crates.io/crates/astral-tokio-tar)