{"id":"RUSTSEC-2026-0068","summary":"tar-rs incorrectly ignores PAX size headers if header size is nonzero","details":"Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX\nsize header in cases where the base header size is nonzero.\n\nAs part of [CVE-2025-62518][astral-cve], the [astral-tokio-tar]\nproject was changed to correctly honor PAX size headers in the case where it\nwas different from the base header. This is almost the inverse of the\nastral-tokio-tar issue.\n\nAny discrepancy in how tar parsers honor file size can be used to create\narchives that appear differently when unpacked by different archivers. In this\ncase, the tar-rs (Rust tar) crate is an outlier in checking for the header size\n— other tar parsers (including e.g. Go [`archive/tar`][go-tar]) unconditionally\nuse the PAX size override. This can affect anything that uses the tar crate to\nparse archives and expects to have a consistent view with other parsers.\n\nThis issue has been fixed in version 0.4.45.\n\n[astral-cve]: https://www.cve.org/CVERecord?id=CVE-2025-62518\n[astral-tokio-tar]: https://github.com/astral-sh/tokio-tar\n[go-tar]: https://pkg.go.dev/archive/tar","aliases":["CVE-2026-33055","GHSA-gchp-q4r4-x4ff"],"modified":"2026-03-23T09:45:06.562240Z","published":"2026-03-19T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tar"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0068.html"}],"affected":[{"package":{"name":"tar","ecosystem":"crates.io","purl":"pkg:cargo/tar"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.4.45"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0068.json","categories":[],"informational":null,"cvss":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}