-
Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers.
This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518.
- This is a corrective release for 0.5.4 to fix a debugging artifact that was accidentally left in the release.
-
Fixed a path traversal vulnerability when using the
unpack_in_rawAPI by @charliermarshThis vulnerability is being tracked as GHSA-3wgq-wrwc-vqmv.
- Expose
TarErrorpublicly by @konstin in #52
- Enable opt-in to deny creation of symlinks outside target directory by @charliermarsh in #46
- Add test to reproduce issue in
impl Stream for Entriescausing filename truncation by @charliermarsh in #41 - Avoid truncation during pending reads by @charliermarsh in #40
- Setting
preserve_permissionstofalsewill avoid setting any permissions on extracted files. Inalexcrichton/tar-rs, settingpreserve_permissionstofalsewill still set read, write, and execute permissions on extracted files, but will avoid setting extended permissions (e.g.,setuid,setgid, andstickybits). - Avoid creating directories outside the unpack target (see:
alexcrichton/tar-rs#259). - Added
unpack_in_rawwhich memoizes the set of validated paths (and assumes a pre-canonicalized) unpack target to avoid redundant filesystem operations.