Bug 2449672
| Summary: | CVE-2026-33056 bpfman: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jon Moroney <jmoroney> |
| Component: | bpfman | Assignee: | Daniel Mellado <dmellado> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | code, dmellado, rust-sig |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["e52268c3-21cf-4253-ace1-12d88ee6b1bf"]} | ||
| Fixed In Version: | bpfman-0.5.4-7.fc45 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-03-22 10:39:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2449490 | ||
|
Description
Jon Moroney
2026-03-20 17:55:06 UTC
More information is available at https://www.cve.org/CVERecord?id=CVE-2026-33056. This flaw is fixed in version 0.4.45 of the tar crate. Updates for rust-tar-0.4.45 are in testing for all Fedora and EPEL branches, and buildroot overrides are active. However, since bpfman uses vendored Rust crate dependencies, its maintainers would need to fix this separately within the package’s dependency bundle. Scratch build with the bumped version here https://koji.fedoraproject.org/koji/taskinfo?taskID=143600888, I'll update the repo after the build succeeds Done, I'll wait for this to build https://koji.fedoraproject.org/koji/taskinfo?taskID=143601434 and then submit a package update for the latest build, + other f branches, tanks Ben! FEDORA-2026-ae0b7bdc90 (bpfman-0.5.4-7.fc45) has been submitted as an update to Fedora 45. https://bodhi.fedoraproject.org/updates/FEDORA-2026-ae0b7bdc90 FEDORA-2026-ae0b7bdc90 (bpfman-0.5.4-7.fc45) has been pushed to the Fedora 45 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2026-2fc36ddefe (bpfman-0.5.4-7.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2026-2fc36ddefe FEDORA-2026-d62d7fe77e (bpfman-0.5.4-5.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-d62d7fe77e FEDORA-2026-b4d393799a (bpfman-0.5.4-6.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-b4d393799a FEDORA-2026-b4d393799a has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-b4d393799a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-b4d393799a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2026-d62d7fe77e has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-d62d7fe77e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-d62d7fe77e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2026-2fc36ddefe has been pushed to the Fedora 44 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-2fc36ddefe` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-2fc36ddefe See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. |