We have been slowly working on packaging asusctl but it has never been included in the Ubuntu archive: https://launchpad.net/ubuntu/+source/asusctl
asusctl vendors a vulnerable version of the Rust tar crate: https://git.launchpad.net/ubuntu/+source/asusctl/tree/vendor/tar If we were to finish the packaging of asusctl, we would want to ensure that the vendored tar crate is patched. The patch itself is a one-line change: https://github.com/alexcrichton/tar- rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446#diff-3dcefa956e75e2171b83e5134b542405a2adb7909a16dc03fad7fd92e8e2d945L449 I currently do not have time to finish packaging asusctl nor do I have ASUS hardware to test it against. I notified the other engineers who worked with asusctl in the past and also the Security Engineering team for best practices and the recommended way ahead to handle this scenario. ** Changed in: asusctl (Ubuntu Resolute) Importance: Undecided => Medium ** Changed in: asusctl (Ubuntu Resolute) Status: Confirmed => Deferred -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2145764 Title: CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by following symlinks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asusctl/+bug/2145764/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
