Fluid Attacks Database

Description

tar-rs unpack_in can chmod arbitrary directories by following symlinks

Summary

When unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.

Reproducer

A malicious tarball contains two entries: (1) a symlink foo pointing to an arbitrary external directory, and (2) a directory entry foo/. (or just foo). When unpacked, create_dir("foo") fails with EEXIST because the symlink is already on disk. The fs::metadata() check then follows the symlink, sees a directory at the target, and allows processing to continue. The directory entry's mode bits are then applied via chmod, which also follows the symlink — modifying the permissions of the external target directory.

Fix

The fix is very simple, we now use fs::symlink_metadata() in unpack_dir, so symlinks are detected and rejected rather than followed.

Credit

This issue was reported by @xokdvium - thank you!

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	rust-tar	=0.4.38-1 \|\| =0.4.38-2 \|\| =0.4.40-1 \|\| =0.4.43-1 \|\| =0.4.43-2 \|\| =0.4.43-3 \|\| =0.4.43-4 \|\| =0.4.44-1 \|\| =0.4.45-1 \|\| =0.4.45-2	-
rpm rhel8	rpm-ostree	-	-
rpm rhel9	rpm-ostree	-	-
rpm rhel9	rust	-	-
rpm rhel8	tar	-	-
alpine v3.23	rust	=1.10.0-r0 \|\| =1.10.0-r1 \|\| =1.16.0-r0 \|\| =1.16.0-r1 \|\| =1.16.0-r2 \|\| =1.16.0-r3 \|\| =1.16.0-r4 \|\| =1.16.0-r5 \|\| =1.17.0-r0 \|\| =1.17.0-r1 \|\| =1.17.0-r2 \|\| =1.17.0-r3 \|\| =1.18.0-r1 \|\| =1.19.0-r0 \|\| =1.20.0-r0 \|\| =1.21.0-r0 \|\| =1.21.0-r1 \|\| =1.22.1-r0 \|\| =1.23.0-r0 \|\| =1.23.0-r1 \|\| =1.24.0-r0 \|\| =1.24.1-r0 \|\| =1.25.0-r0 \|\| =1.26.0-r0 \|\| =1.26.0-r1 \|\| =1.26.2-r0 \|\| =1.27.0-r0 \|\| =1.27.2-r0 \|\| =1.28.0-r0 \|\| =1.29.0-r0 \|\| =1.30.0-r0 \|\| =1.30.0-r1 \|\| =1.31.1-r1 \|\| =1.31.1-r2 \|\| =1.32.0-r0 \|\| =1.33.0-r0 \|\| =1.34.2-r0 \|\| =1.34.2-r1 \|\| =1.35.0-r0 \|\| =1.36.0-r0 \|\| =1.37.0-r0 \|\| =1.38.0-r0 \|\| =1.38.0-r1 \|\| =1.38.0-r2 \|\| =1.39.0-r0 \|\| =1.40.0-r0 \|\| =1.40.0-r1 \|\| =1.41.0-r0 \|\| =1.41.0-r1 \|\| =1.41.1-r0 \|\| =1.42.0-r0 \|\| =1.42.0-r1 \|\| =1.42.0-r2 \|\| =1.43.0-r0 \|\| =1.43.1-r0 \|\| =1.43.1-r1 \|\| =1.44.0-r0 \|\| =1.44.1-r0 \|\| =1.45.1-r0 \|\| =1.45.2-r0 \|\| =1.46.0-r0 \|\| =1.46.0-r1 \|\| =1.46.0-r2 \|\| =1.47.0-r0 \|\| =1.47.0-r1 \|\| =1.47.0-r2 \|\| =1.48.0-r0 \|\| =1.49.0-r0 \|\| =1.50.0-r0 \|\| =1.50.0-r1 \|\| =1.51.0-r0 \|\| =1.51.0-r1 \|\| =1.51.0-r2 \|\| =1.52.0-r0 \|\| =1.52.1-r0 \|\| =1.52.1-r1 \|\| =1.53.0-r0 \|\| =1.54.0-r0 \|\| =1.55.0-r0 \|\| =1.55.0-r1 \|\| =1.55.0-r2 \|\| =1.55.0-r3 \|\| =1.56.1-r0 \|\| =1.57.0-r0 \|\| =1.58.0-r0 \|\| =1.58.0-r1 \|\| =1.58.1-r0 \|\| =1.59.0-r0 \|\| =1.59.0-r1 \|\| =1.60.0-r0 \|\| =1.60.0-r1 \|\| =1.60.0-r2 \|\| =1.60.0-r3 \|\| =1.61.0-r0 \|\| =1.62.0-r0 \|\| =1.62.0-r1 \|\| =1.62.1-r0 \|\| =1.62.1-r1 \|\| =1.62.1-r2 \|\| =1.63.0-r0 \|\| =1.64.0-r0 \|\| =1.64.0-r1 \|\| =1.64.0-r2 \|\| =1.65.0-r0 \|\| =1.65.0-r1 \|\| =1.66.0-r0 \|\| =1.66.1-r0 \|\| =1.66.1-r1 \|\| =1.66.1-r2 \|\| =1.67.0-r0 \|\| =1.67.0-r1 \|\| =1.67.0-r2 \|\| =1.67.1-r0 \|\| =1.68.0-r0 \|\| =1.68.0-r1 \|\| =1.68.1-r0 \|\| =1.68.2-r0 \|\| =1.69.0-r0 \|\| =1.69.0-r1 \|\| =1.69.0-r10 \|\| =1.69.0-r2 \|\| =1.69.0-r3 \|\| =1.69.0-r4 \|\| =1.69.0-r5 \|\| =1.69.0-r6 \|\| =1.69.0-r7 \|\| =1.69.0-r8 \|\| =1.69.0-r9 \|\| =1.70.0-r0 \|\| =1.70.0-r1 \|\| =1.70.0-r2 \|\| =1.70.0-r3 \|\| =1.70.0-r4 \|\| =1.71.0-r0 \|\| =1.71.0-r1 \|\| =1.71.0-r2 \|\| =1.71.1-r0 \|\| =1.72.0-r0 \|\| =1.72.1-r0 \|\| =1.73.0-r0 \|\| =1.73.0-r1 \|\| =1.74.1-r0 \|\| =1.75.0-r0 \|\| =1.76.0-r0 \|\| =1.76.0-r1 \|\| =1.77.0-r0 \|\| =1.77.0-r1 \|\| =1.78.0-r0 \|\| =1.79.0-r0 \|\| =1.79.0-r1 \|\| =1.80.0-r0 \|\| =1.80.1-r0 \|\| =1.81.0-r0 \|\| =1.82.0-r0 \|\| =1.82.0-r1 \|\| =1.82.0-r2 \|\| =1.83.0-r0 \|\| =1.84.0-r0 \|\| =1.84.1-r0 \|\| =1.85.0-r0 \|\| =1.85.1-r0 \|\| =1.86.0-r0 \|\| =1.86.0-r1 \|\| =1.86.0-r2 \|\| =1.87.0-r0 \|\| =1.87.0-r1 \|\| =1.88.0-r0 \|\| =1.88.0-r1 \|\| =1.89.0-r0 \|\| =1.90.0-r0 \|\| =1.90.0-r1 \|\| =1.91.0-r0 \|\| =1.91.1-r0 \|\| >=0 <1.91.1-r1	1.91.1-r1
rpm rhel9	tar	-	-
debian 14	rust-tar	=0.4.43-4 \|\| =0.4.44-1 \|\| >=0 <0.4.45-1	0.4.45-1
rpm rhel9	bootc	-	-
rpm rhel10	mesa	-	-

1-10 of 34

Aliases

1. CVE-2026-330562. NVD-2026-330563. OSV-DEBIAN-2026-330564. OSV-2026-330565. OSV-ALPINE-2026-330566. GHSA-j4xf-2g29-59ph7. GCVE-2026-330568. SECURITY-TRACKER-CVE-2026-330569. SECURITY-CVE-2026-33056

References

1. https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph2. https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd2664463. https://rustsec.org/advisories/RUSTSEC-2026-0067.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.