Public bug reported: Packages that build-depend on rust-tar directly or indirectly may contain vulnerable code.
Recently, rust-tar has been patched to fix a CVE (https://www.cve.org/CVERecord?id=CVE-2026-33056). Most packages have already been uploaded to the archive. However, no-change rebuilds are still necessary for all packages that either (1) build-depend on librust-tar-X.Y-dev or (2) on other librust-$LIB-dev packages that, in turn, depend on librust-tar-X.Y-dev. For example: rust-cargo-c on Noble does not vendor the tar crate. However, it build-depends on librust-cargo-dev which, in turn, depends on librust-tar-0.4-dev, which contained the vulnerability. Now that rust-tar has been patched and uploaded to the archive, we need to rebuild rust-cargo-c for it to pick up the fix. CVE record: https://www.cve.org/CVERecord?id=CVE-2026-33056 LP bug tracking the packages vendoring the tar crate: https://bugs.launchpad.net/ubuntu/focal/+source/rustc-1.77/+bug/2145764 ** Affects: elan (Ubuntu) Importance: Undecided Status: New ** Affects: python-maturin (Ubuntu) Importance: Undecided Status: New ** Affects: rust-cargo (Ubuntu) Importance: Undecided Assignee: Ruan Comelli (ruancomelli) Status: New ** Affects: elan (Ubuntu Focal) Importance: Undecided Status: New ** Affects: python-maturin (Ubuntu Focal) Importance: Undecided Status: New ** Affects: rust-cargo (Ubuntu Focal) Importance: Undecided Status: New ** Affects: elan (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: python-maturin (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: rust-cargo (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: elan (Ubuntu Noble) Importance: Undecided Status: New ** Affects: python-maturin (Ubuntu Noble) Importance: Undecided Status: New ** Affects: rust-cargo (Ubuntu Noble) Importance: Undecided Status: New ** Affects: elan (Ubuntu Questing) Importance: Undecided Status: New ** Affects: python-maturin (Ubuntu Questing) Importance: Undecided Status: New ** Affects: rust-cargo (Ubuntu Questing) Importance: Undecided Status: New ** Affects: elan (Ubuntu Resolute) Importance: Undecided Status: New ** Affects: python-maturin (Ubuntu Resolute) Importance: Undecided Status: New ** Affects: rust-cargo (Ubuntu Resolute) Importance: Undecided Assignee: Ruan Comelli (ruancomelli) Status: New ** Tags: foundations ** Also affects: rust-cargo (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: rust-cargo (Ubuntu Questing) Importance: Undecided Status: New ** Also affects: rust-cargo (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: rust-cargo (Ubuntu Resolute) Importance: Undecided Assignee: Ruan Comelli (ruancomelli) Status: New ** Also affects: rust-cargo (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: elan (Ubuntu) Importance: Undecided Status: New ** Also affects: python-maturin (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148332 Title: CVE-2026-33056: Packages that depend on rust-tar might still contain vulnerable code To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elan/+bug/2148332/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
