rust-astral-tokio-tar - Debian Package Tracker

general

versioned links

0.5.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.5.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

action needed

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-27 Last update: 2025-09-27 03:02

20 open merge requests in Salsa normal

There are 20 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2025-09-24 19:03

1 low-priority security issue in trixie low

1 issue left for the package maintainer to handle:

CVE-2025-59825: (needs triaging) astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-09-24 Last update: 2025-09-29 05:30

debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 0.5.5-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-02-14 Last update: 2025-09-27 08:32

[2025-09-29] rust-astral-tokio-tar 0.5.5-1 MIGRATED to testing (Debian testing watch)
[2025-09-26] Accepted rust-astral-tokio-tar 0.5.5-1 (source) into unstable (Matthias Geiger)
[2025-04-26] rust-astral-tokio-tar 0.5.2-2 MIGRATED to testing (Debian testing watch)
[2025-04-15] Accepted rust-astral-tokio-tar 0.5.2-2 (source) into unstable (Matthias Geiger)
[2025-04-01] Accepted rust-astral-tokio-tar 0.5.2-1 (source) into unstable (Matthias Geiger)
[2025-02-19] rust-astral-tokio-tar 0.5.1-1 MIGRATED to testing (Debian testing watch)
[2025-02-13] Accepted rust-astral-tokio-tar 0.5.1-1 (amd64 source) into unstable (Debian FTP Masters) (signed by: Matthias Geiger)

bugs [bug history graph]

links

ubuntu