Wasmtime GitHub notifications bot (Mar 24 2026 at 00:13): Wasmtime GitHub notifications bot (Mar 24 2026 at 00:13):github-actions[bot] opened issue #12830:
unpack_incan chmod arbitrary directories by following symlinks
Details Package tarVersion 0.4.41Date 2026-03-19 Patched versions >=0.4.45In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar
crate'sunpack_dirfunction uses [fs::metadata()][fs-metadata] to check
whether a path that already exists is a directory. Becausefs::metadata()
follows symbolic links, a crafted tarball containing a symlink entry followed
by a directory entry with the same name causes the crate to treat the symlink
target as a valid existing directory — and subsequently apply chmod to it. This
allows an attacker to modify the permissions of arbitrary directories outside
the extraction root.This issue has been fixed in version 0.4.45.
[fs-metadata]: https://doc.rust-lang.org/std/fs/fn.metadata.html
See advisory page for additional details.
Wasmtime GitHub notifications bot (Mar 25 2026 at 00:22):pchickey closed issue #12830:
unpack_incan chmod arbitrary directories by following symlinks
Details Package tarVersion 0.4.41Date 2026-03-19 Patched versions >=0.4.45In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar
crate'sunpack_dirfunction uses [fs::metadata()][fs-metadata] to check
whether a path that already exists is a directory. Becausefs::metadata()
follows symbolic links, a crafted tarball containing a symlink entry followed
by a directory entry with the same name causes the crate to treat the symlink
target as a valid existing directory — and subsequently apply chmod to it. This
allows an attacker to modify the permissions of arbitrary directories outside
the extraction root.This issue has been fixed in version 0.4.45.
[fs-metadata]: https://doc.rust-lang.org/std/fs/fn.metadata.html
See advisory page for additional details.
Last updated: Apr 12 2026 at 23:10 UTC