From b227ef62f10cf742103dcfc96efb807df2ca07ac Mon Sep 17 00:00:00 2001 From: Alex Crichton Date: Thu, 19 Mar 2026 16:56:51 -0500 Subject: [PATCH] archive: Unconditionally honor PAX size (#441) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This synchronizes our behavior with most other tar parsers (including astral-tokio-tar and Go archive/tar) ensuring that we don't parse things differently. The problem with parsing size in particular differently is it's easy to craft a tar archive that appears completely differently between two parsers. This is the case with e.g. crates.io where astral-tokio-tar is used for validation server side, but cargo uses the `tar` crate to upload. With this, the two projects agree. Signed-off-by: Colin Walters Co-authored-by: Colin Walters FG: drop test-related changes Signed-off-by: Fabian Grünbichler Fixes: CVE-2026-33055 Gbp-Pq: Topic vendor Gbp-Pq: Name tar-CVE-2026-33055.patch --- vendor/tar-0.4.44/src/archive.rs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/vendor/tar-0.4.44/src/archive.rs b/vendor/tar-0.4.44/src/archive.rs index 459c28b653..cbc56f9f6c 100644 --- a/vendor/tar-0.4.44/src/archive.rs +++ b/vendor/tar-0.4.44/src/archive.rs @@ -352,10 +352,11 @@ impl<'a> EntriesFields<'a> { let file_pos = self.next; let mut size = header.entry_size()?; - if size == 0 { - if let Some(pax_size) = pax_size { - size = pax_size; - } + // If this exists, it must override the header size. Disagreement among + // parsers allows construction of malicious archives that appear different + // when parsed. + if let Some(pax_size) = pax_size { + size = pax_size; } let ret = EntryFields { size: size, -- 2.30.2