this post was submitted on 21 Oct 2025
31 points (97.0% liked)

Rust

7444 readers
16 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
EdTheLegendary@programming.dev
kahnclusions@programming.dev
torcherist@programming.dev
31
TARmageddon Strikes: High Profile Security Vulnerability In Popular Rust Library (www.phoronix.com)
submitted 1 week ago by cm0002@lemmy.zip to c/rust@programming.dev
4 comments fedilink hide all child comments
 

Going public today is CVE-2025-62518, or better known by the name given by the security researchers involved: TARmageddon. The TARmageddon vulnerability affects the popular async-tar Rust library and its various forks like tokio-tar. In turn TARmageddon impacts the uv Python package manager and other users of this library.

Edera made public today their discovery of a critical boundary-parsing bug in the async-tar Rust library and downstream forks like tokio-tar. TARmageddon is rated as a "high" severity bug and can lead to remote code execution through file overwriting attacks.

top 4 comments
sorted by: hot top controversial new old
[–] StripedMonkey@lemmy.zip 8 points 1 week ago (1 children)

Phoronix comment sections never fail to be cesspools

[–] Qwel@sopuli.xyz 5 points 1 week ago (1 children)

Someone should train an llm on these guys

[–] MadhuGururajan@programming.dev 2 points 1 week ago

god no. some of the comments are so misinformed that i wonder whether they are actual software people at all.

No language can catch a logic bug.

[–] Kissaki@programming.dev 6 points 1 week ago

What is the vulnerability, what is the attack vector, and how does it work? The technical context from the linked source Edera

This vulnerability is a desynchronization flaw that allows an attacker to "smuggle" additional archive entries into TAR extractions. It occurs when processing nested TAR files that exhibit a specific mismatch between their PAX extended headers and ustar headers.

The flaw stems from the parser's inconsistent logic when determining file data boundaries:

  1. A file entry has both PAX and ustar headers.
  2. The PAX header correctly specifies the actual file size (size=X, e.g., 1MB).
  3. The ustar header incorrectly specifies zero size (size=0).
  4. The vulnerable tokio-tar parser incorrectly advances the stream position based on the ustar size (0 bytes) instead of the PAX size (X bytes).

By advancing 0 bytes, the parser fails to skip over the actual file data (which is a nested TAR archive) and immediately encounters the next valid TAR header located at the start of the nested archive. It then incorrectly interprets the inner archive's headers as legitimate entries belonging to the outer archive.

This leads to:

  • File overwriting attacks within extraction directories.
  • Supply chain attacks via build system and package manager exploitation.
  • Bill-of-materials (BOM) bypass for security scanning.