[Bug 2145764] Re: CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by following symlinks

Fri, 27 Mar 2026 11:01:00 -0700 

Here are the fixes for the rust-tar package:

- rust-tar - 0.4.26-1ubuntu0.1 (Focal): 
https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18274330/+listing-archive-extra
- rust-tar - 0.4.37-3ubuntu0.1 (Jammy): 
https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18274119/+listing-archive-extra
- rust-tar - 0.4.40-1ubuntu0.1 (Noble): 
https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18274087/+listing-archive-extra
- rust-tar - 0.4.43-4ubuntu0.1 (Questing): 
https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18274333/+listing-archive-extra

And here are the fixes for the rust-cargo-c package:

- rust-cargo-c - 0.10.11-1ubuntu1.1 (Questing): 
https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18274344/+listing-archive-extra
- rust-cargo-c - 0.10.11-1ubuntu2 (Resolute): 
https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18274343/+listing-archive-extra

Fixing rust-cargo-c for Noble requires re-building the librust-tar-dev
package after the rust-tar fixes get published.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2145764

Title:
  CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by
  following symlinks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asusctl/+bug/2145764/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to