tar-rs could be made to modify permissions on arbitrary directories.
Software Description:
- rust-tar: A tar archive reading/writing library for Rust
Details:
USN-8138-1 fixed a vulnerability in tar-rs. This update provides the
corresponding update for Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that tar-rs incorrectly handled symlinks when unpacking
a tar archive. If a user or automated system were tricked into processing
a specially crafted tar archive, a remote attacker could use this issue to
modify permissions of arbitrary directories outside the extraction root,
and possibly escalate privileges.
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
librust-tar-dev 0.4.26-1ubuntu0.1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.https://ubuntu.com/security/notices/USN-8138-2
https://ubuntu.com/security/notices/USN-8138-1
CVE-2026-33056
Get the latest Linux and open source security news straight to your inbox.