rust-astral-tokio-tar - Debian Package Tracker

general

source: rust-astral-tokio-tar (main)
version: 0.6.2-1
maintainer: Debian Rust Maintainers (archive) (DMD)
uploaders: kpcyrd [DMD] – Matthias Geiger [DMD]
arch: any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 0.5.2-2
testing: 0.6.1-1
unstable: 0.6.2-1

versioned links

0.5.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.6.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.6.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

librust-astral-tokio-tar-dev

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:02:49
Last run: 2026-04-19T14:51:14.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:02:39
Last run: 2026-03-26T10:19:32.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:03:23
Last run: 2026-05-16T08:48:32.000Z
Previous status: unknown

Created: 2026-03-26 Last update: 2026-05-21 17:01

6 security issues in trixie high

There are 6 open security issues in trixie.

3 important issues:

TEMP-0000000-53D7AE:
TEMP-0000000-5DEDAF:
TEMP-0000000-E81ECD:

3 issues left for the package maintainer to handle:

CVE-2025-59825: (needs triaging) astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.
CVE-2025-62518: (needs triaging) astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
CVE-2026-32766: (needs triaging) astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-09-24 Last update: 2026-05-20 15:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

TEMP-0000000-53D7AE:

Created: 2026-05-20 Last update: 2026-05-20 15:30

Failed to analyze the VCS repository. Please troubleshoot and fix the issue. high

vcswatch reports that there is an error with this package's VCS, or the debian/changelog file inside it. Please check the error shown below and try to fix it. You might have to update the VCS URL in the debian/control file to point to the correct repository.

fatal: shallow file has changed since we read it

Created: 2026-05-20 Last update: 2026-05-20 03:00

26 open merge requests in Salsa normal

There are 26 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2026-05-13 15:03

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-30 Last update: 2026-04-30 00:30

debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 0.6.2-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-02-14 Last update: 2026-05-20 08:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-05-20 07:30

testing migrations

excuses:
- Migration status for rust-astral-tokio-tar (0.6.1-1 to 0.6.2-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for rust-astral-tokio-tar/0.6.2-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Too young, only 1 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/rust-astral-tokio-tar.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-05-19] Accepted rust-astral-tokio-tar 0.6.2-1 (source) into unstable (kpcyrd)
[2026-05-14] rust-astral-tokio-tar 0.6.1-1 MIGRATED to testing (Debian testing watch)
[2026-04-29] Accepted rust-astral-tokio-tar 0.6.1-1 (source) into unstable (kpcyrd)
[2026-04-07] rust-astral-tokio-tar 0.6.0-1 MIGRATED to testing (Debian testing watch)
[2026-03-26] Accepted rust-astral-tokio-tar 0.6.0-1 (source) into unstable (Yifei Zhan)
[2025-11-26] rust-astral-tokio-tar 0.5.6-2 MIGRATED to testing (Debian testing watch)
[2025-11-23] Accepted rust-astral-tokio-tar 0.5.6-2 (source) into unstable (Fabian Grünbichler) (signed by: Fabian Gruenbichler)
[2025-10-25] rust-astral-tokio-tar 0.5.6-1 MIGRATED to testing (Debian testing watch)
[2025-10-22] Accepted rust-astral-tokio-tar 0.5.6-1 (source) into unstable (Fabian Grünbichler) (signed by: Fabian Gruenbichler)
[2025-09-29] rust-astral-tokio-tar 0.5.5-1 MIGRATED to testing (Debian testing watch)
[2025-09-26] Accepted rust-astral-tokio-tar 0.5.5-1 (source) into unstable (Matthias Geiger)
[2025-04-26] rust-astral-tokio-tar 0.5.2-2 MIGRATED to testing (Debian testing watch)
[2025-04-15] Accepted rust-astral-tokio-tar 0.5.2-2 (source) into unstable (Matthias Geiger)
[2025-04-01] Accepted rust-astral-tokio-tar 0.5.2-1 (source) into unstable (Matthias Geiger)
[2025-02-19] rust-astral-tokio-tar 0.5.1-1 MIGRATED to testing (Debian testing watch)
[2025-02-13] Accepted rust-astral-tokio-tar 0.5.1-1 (amd64 source) into unstable (Debian FTP Masters) (signed by: Matthias Geiger)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.5.6-2