{"id":"USN-8138-2","summary":"rust-tar vulnerability","details":"USN-8138-1 fixed a vulnerability in tar-rs. This update provides the\ncorresponding update for Ubuntu 20.04 LTS.\n\nOriginal advisory details:\n\n It was discovered that tar-rs incorrectly handled symlinks when unpacking\n a tar archive. If a user or automated system were tricked into processing\n a specially crafted tar archive, a remote attacker could use this issue to\n modify permissions of arbitrary directories outside the extraction root,\n and possibly escalate privileges.","modified":"2026-04-15T09:16:36.919779601Z","published":"2026-04-14T20:01:22Z","upstream":["CVE-2026-33056","UBUNTU-CVE-2026-33056"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8138-2"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-33056"}],"affected":[{"package":{"name":"rust-tar","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/rust-tar@0.4.26-1ubuntu0.1?arch=source&distro=esm-infra/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.4.26-1ubuntu0.1"}]}],"versions":["0.4.26-1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_version":"0.4.26-1ubuntu0.1","binary_name":"librust-tar+default-dev"},{"binary_version":"0.4.26-1ubuntu0.1","binary_name":"librust-tar-dev"}]},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:20.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8138-2.json"}}],"schema_version":"1.7.5"}