2450076 – rust-below: tar-rs: Arbitrary directory permission modification via crafted tar archive

Bug 2450076 - rust-below: tar-rs: Arbitrary directory permission modification via crafted tar archive

Summary: rust-below: tar-rs: Arbitrary directory permission modification via crafted t...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rust-below
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Rust SIG
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2450075
Blocks:	CVE-2026-33056 2450241
TreeView+	depends on / blocked

Reported:	2026-03-22 09:15 UTC by Ben Beasley
Modified:	2026-03-23 07:57 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ben Beasley 2026-03-22 09:15:42 UTC

While rust-below wasn’t included in Red Hat prodsec’s mass bug filing for CVE-2026-33056, it does depend on rust-tar, and it’s possibly affected.

More information is available at https://www.cve.org/CVERecord?id=CVE-2026-33056. This flaw is fixed in version 0.4.45 of the tar crate. Updates for rust-tar-0.4.45 are in testing for all Fedora and EPEL branches, and buildroot overrides are active. All that’s required is therefore to rebuild the package.

Since rust-sig is a co-maintainer on this package, I would be happy to take care of rebuilding it and issuing updates, except that the package fails to build from source in Fedora 44 and 45/Rawhide, bug 2450075. Therefore, I’m not going to do anything further at the moment.

Reproducible: Always

Note You need to log in before you can comment on or make changes to this bug.