From: Alex Crichton Date: Thu, 19 Mar 2026 21:56:51 +0000 (-0500) Subject: archive: Unconditionally honor PAX size (#441) X-Git-Tag: archive/raspbian/1.93.1+dfsg1-2+rpi1^2~1 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/success//%22mailto:kde%40ewsoftware.de/%22/%22http:/www.example.com/cgi/success/%22mailto:kde%40ewsoftware.de/%22?a=commitdiff_plain;h=ed4cee3ef66deb575387bbd9ed0e0dd5aa081e3b;p=rustc.git archive: Unconditionally honor PAX size (#441) This synchronizes our behavior with most other tar parsers (including astral-tokio-tar and Go archive/tar) ensuring that we don't parse things differently. The problem with parsing size in particular differently is it's easy to craft a tar archive that appears completely differently between two parsers. This is the case with e.g. crates.io where astral-tokio-tar is used for validation server side, but cargo uses the `tar` crate to upload. With this, the two projects agree. Signed-off-by: Colin Walters Co-authored-by: Colin Walters FG: drop test-related changes Signed-off-by: Fabian Grünbichler Fixes: CVE-2026-33055 Gbp-Pq: Topic vendor Gbp-Pq: Name tar-CVE-2026-33055.patch --- diff --git a/vendor/tar-0.4.44/src/archive.rs b/vendor/tar-0.4.44/src/archive.rs index 459c28b653..cbc56f9f6c 100644 --- a/vendor/tar-0.4.44/src/archive.rs +++ b/vendor/tar-0.4.44/src/archive.rs @@ -352,10 +352,11 @@ impl<'a> EntriesFields<'a> { let file_pos = self.next; let mut size = header.entry_size()?; - if size == 0 { - if let Some(pax_size) = pax_size { - size = pax_size; - } + // If this exists, it must override the header size. Disagreement among + // parsers allows construction of malicious archives that appear different + // when parsed. + if let Some(pax_size) = pax_size { + size = pax_size; } let ret = EntryFields { size: size,