archive: Unconditionally honor PAX size (#441)

This synchronizes our behavior with most other tar parsers
(including astral-tokio-tar and Go archive/tar) ensuring
that we don't parse things differently.

The problem with parsing size in particular differently is
it's easy to craft a tar archive that appears completely differently
between two parsers. This is the case with e.g. crates.io where
astral-tokio-tar is used for validation server side, but cargo uses
the `tar` crate to upload.

With this, the two projects agree.

Signed-off-by: Colin Walters <walters@verbum.org>
Co-authored-by: Colin Walters <walters@verbum.org>
FG: drop test-related changes
Signed-off-by: Fabian Grünbichler <debian@fabian.gruenbichler.email>
Fixes: CVE-2026-33055
Gbp-Pq: Topic vendor
Gbp-Pq: Name tar-CVE-2026-33055.patch

diff --git a/vendor/tar-0.4.44/src/archive.rs b/vendor/tar-0.4.44/src/archive.rs
index 459c28b653440ab8ab9ff28155fc281065149efc..cbc56f9f6c4d916c097db3e2a15e24cfea134999 100644 (file)
--- a/vendor/tar-0.4.44/src/archive.rs
+++ b/vendor/tar-0.4.44/src/archive.rs
@@ -352,10 +352,11 @@ impl<'a> EntriesFields<'a> {
 
         let file_pos = self.next;
         let mut size = header.entry_size()?;
-        if size == 0 {
-            if let Some(pax_size) = pax_size {
-                size = pax_size;
-            }
+        // If this exists, it must override the header size. Disagreement among
+        // parsers allows construction of malicious archives that appear different
+        // when parsed.
+        if let Some(pax_size) = pax_size {
+            size = pax_size;
         }
         let ret = EntryFields {
             size: size,