Bug 2449490 (CVE-2026-33056) - CVE-2026-33056 tar-rs: tar-rs: Arbitrary directory permission modification via crafted tar archive
Summary: CVE-2026-33056 tar-rs: tar-rs: Arbitrary directory permission modification vi...
Keywords:
Status: NEW
Alias: CVE-2026-33056
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2449669 2449670 2449671 2449673 2449674 2449675 2449676 2449677 2449678 2449679 2449680 2449681 2449683 2449684 2449685 2449686 2449687 2449689 2449692 2449693 2449694 2449695 2450076 2449672 2449682 2449688 2449690 2449691
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-20 08:02 UTC by OSIDB Bzimport
Modified: 2026-03-22 09:16 UTC (History)
49 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-20 08:02:32 UTC 
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
Note You need to log in before you can comment on or make changes to this bug.