Debian Package Tracker
Register | Log in
Subscribe

rust-astral-tokio-tar

An async TAR file reader and writer - Rust source code

Choose email to subscribe with

general
  • source: rust-astral-tokio-tar (main)
  • version: 0.5.5-1
  • maintainer: Debian Rust Maintainers (archive) (DMD)
  • uploaders: Matthias Geiger [DMD]
  • arch: any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • stable: 0.5.2-2
  • testing: 0.5.5-1
  • unstable: 0.5.5-1
versioned links
  • 0.5.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.5.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • librust-astral-tokio-tar-dev
action needed
lintian reports 1 warning normal
Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.
Created: 2025-09-27 Last update: 2025-09-27 03:02
20 open merge requests in Salsa normal
There are 20 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.
Created: 2025-08-19 Last update: 2025-09-24 19:03
1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:
  • CVE-2025-59825: (needs triaging) astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using the Entry::unpack_in_raw API. Additionally, the Entry::allow_external_symlinks control (which defaults to true) could be bypassed via a pair of symlinks that individually point within the destination but combine to point outside of it. These behaviors could be used individually or combined to bypass the intended security control of limiting extraction to the given directory. This in turn would allow an attacker with a malicious tar archive to perform an arbitrary file write and potentially pivot into code execution. This issue has been patched in version 0.5.4. There is no workaround other than upgrading.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-09-24 Last update: 2025-09-29 05:30
debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 0.5.5-1 of the package, we noticed the following issues:

  • 2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2025-02-14 Last update: 2025-09-27 08:32
news
[rss feed]
  • [2025-09-29] rust-astral-tokio-tar 0.5.5-1 MIGRATED to testing (Debian testing watch)
  • [2025-09-26] Accepted rust-astral-tokio-tar 0.5.5-1 (source) into unstable (Matthias Geiger)
  • [2025-04-26] rust-astral-tokio-tar 0.5.2-2 MIGRATED to testing (Debian testing watch)
  • [2025-04-15] Accepted rust-astral-tokio-tar 0.5.2-2 (source) into unstable (Matthias Geiger)
  • [2025-04-01] Accepted rust-astral-tokio-tar 0.5.2-1 (source) into unstable (Matthias Geiger)
  • [2025-02-19] rust-astral-tokio-tar 0.5.1-1 MIGRATED to testing (Debian testing watch)
  • [2025-02-13] Accepted rust-astral-tokio-tar 0.5.1-1 (amd64 source) into unstable (Debian FTP Masters) (signed by: Matthias Geiger)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian (0, 1)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.5.2-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing