advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

async-tar and it's forks are vulnerable

Open lolbinarycat opened this issue 2 months ago • 7 comments

see CVE-2025-62518, GHSA-j5gw-2vrg-8fgx, and this announcement blogpost.

This should be added to the rustsec database so library maintainers will be informed about it when running cargo audit.

lolbinarycat avatar Oct 21 '25 16:10 lolbinarycat

Want to submit an advisory? cc @woodruffw

djc avatar Oct 21 '25 18:10 djc

Yeah, it'd be great to have RUSTSEC advisories for these. For context, the CVE is only for astral-tokio-tar (which is patched), the other forks of tokio-tar are potentially not patched or have divergent versions (I'm not familiar with them).

woodruffw avatar Oct 21 '25 19:10 woodruffw

@lolbinarycat if you're interested in submitting these entries, I'd be happy to review them. Otherwise, I can probably find some time tomorrow to submit these.

woodruffw avatar Oct 21 '25 19:10 woodruffw

I can submit advisories for these, though it will probably take until at least tomorrow.

Should I also submit separate "unmaintained" advisories, or is one advisory per crate enough?

lolbinarycat avatar Oct 21 '25 20:10 lolbinarycat

One advisory per crate is enough, just state explicitly that it is unmaintained and no fixes are expected to be forthcoming (or some such).

Thanks!

djc avatar Oct 21 '25 20:10 djc

so we have https://github.com/rustsec/advisory-db/pull/2442 and https://github.com/rustsec/advisory-db/pull/2443 merged - what else is needed here?

jayvdb avatar Nov 16 '25 21:11 jayvdb

I believe krata-tokio-tar also needs an advisory, at least based on Edera's post.

woodruffw avatar Nov 16 '25 23:11 woodruffw