CVE-2026-33056
Publication date 20 March 2026
Last updated 13 April 2026
Ubuntu priority
Description
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rust-tar | 25.10 questing |
Fixed 0.4.43-4ubuntu0.1
|
| 24.04 LTS noble |
Fixed 0.4.40-1ubuntu0.1
|
|
| 22.04 LTS jammy |
Fixed 0.4.37-3ubuntu0.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| rustc | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.75.0+dfsg0ubuntu1-0ubuntu7.4
|
|
| 22.04 LTS jammy |
Fixed 1.75.0+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| rustc-1.62 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 1.62.1+dfsg1-1ubuntu0.22.04.3
|
|
| rustc-1.74 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.74.1+dfsg0ubuntu1-0ubuntu15
|
|
| 22.04 LTS jammy | Not in release | |
| rustc-1.76 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.76.0+dfsg0ubuntu1-0ubuntu0.24.04.2
|
|
| 22.04 LTS jammy |
Fixed 1.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| rustc-1.77 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.77.2+dfsg1ubuntu1-0ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Fixed 1.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| rustc-1.78 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.78.0+dfsg1ubuntu1-0ubuntu0.24.04.2
|
|
| 22.04 LTS jammy |
Fixed 1.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| rustc-1.79 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.79.0+dfsg1ubuntu1-0ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Fixed 1.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| rustc-1.80 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.80.1+dfsg0ubuntu1-0ubuntu0.24.04.01
|
|
| 22.04 LTS jammy |
Fixed 1.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| rustc-1.81 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.81.0+dfsg0ubuntu1-0ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Fixed 1.81.0+dfsg0ubuntu0-0ubuntu0.22.04.1
|
|
| rustc-1.82 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.82.0+dfsg0ubuntu0-0ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Fixed 1.82.0+dfsg0ubuntu0~jammy-0ubuntu0.22.04.1
|
|
| rustc-1.83 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.83.0+dfsg0ubuntu1~bpo2-0ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Fixed 1.83.0+dfsg0ubuntu2~bpo2-0ubuntu2.22.04.1
|
|
| rustc-1.84 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.84.1+dfsg0ubuntu1~bpo2-0ubuntu2.24.04.1
|
|
| 22.04 LTS jammy |
Fixed 1.84.1+dfsg0ubuntu1~bpo10-0ubuntu4.22.04.1
|
|
| rustc-1.85 | 25.10 questing |
Fixed 1.85.1+dfsg0ubuntu2-0ubuntu1.25.04.1
|
| 24.04 LTS noble |
Fixed 1.85.1+dfsg0ubuntu2~bpo0-0ubuntu0.24.04.2
|
|
| 22.04 LTS jammy |
Fixed 1.85.1+dfsg0ubuntu2~bpo0-0ubuntu1.22.04.1
|
|
| rustc-1.88 | 25.10 questing |
Fixed 1.88.0+dfsg0ubuntu1-0ubuntu2
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| rustc-1.89 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.89.0+dfsg~24.04-0ubuntu0.24.04.2
|
|
| 22.04 LTS jammy |
Fixed 1.89.0+dfsg~24.04-0ubuntu0.22.04.2
|
|
| rustc-1.91 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Fixed 1.91.1+dfsg~24.04-0ubuntu0.24.04.2
|
|
| 22.04 LTS jammy |
Fixed 1.91.1+dfsg~22.04-0ubuntu0.22.04.3
|
|
| rustc-1.92 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| rustc-1.93 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| cargo | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| rust-cargo-c | 25.10 questing |
Fixed 0.10.11-1ubuntu1.1
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| rust-async-tar | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| rust-astral-tokio-tar | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
References
Related Ubuntu Security Notices (USN)
- USN-8139-1
- cargo-c vulnerability
- 1 April 2026
- USN-8138-1
- tar-rs vulnerability
- 1 April 2026
- USN-8168-1
- Rust vulnerability
- 13 April 2026
- USN-8168-2
- Rust vulnerability
- 14 April 2026
- USN-8138-2
- tar-rs vulnerability
- 14 April 2026