Update Rust crate tar to v0.4.46 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tar	dev-dependencies	patch	0.4.45 → 0.4.46

---

tar has a PAX header desynchronization issue

GHSA-3pv8-6f4r-ffg2

More information

Details

Summary

When a tar stream contains multiple "header" entries prior to a file entry, tar-rs applies the PAX header (x) to the next entry in the stream, regardless of type. For example, a stream of x -> L -> file (PAX, GNU longname, file) would result in x's extensions being applied to L rather than to file.

Per POSIX pax, this is incorrect: a PAX header always applies to a file entry, not any intermediary entries. See the "pax Header Block" section for the specific prescription there.

As a result of this, an attacker can contrive a tar containing a sequence of tar headers such that tar-rs applies the PAX header's size extension to the next header in sequence, effectively desynchronizing the stream and enabling tar-rs specific skippage/extraction of members. In other words, a file can be contrived to extract differently on tar-rs than on other tar parsers.

PoC

This tar (zipped for size) demonstrates the desynchronization: with tar tvf:

% tar tvf tests/archives/pax-overrides-extension-header.tar 
----------  0 0      0        2048 Dec 31  1969 longname.txt
----------  0 0      0           0 Dec 31  1969 file_b

with tar-rs:

---- pax_size_does_not_apply_to_extension_headers stdout ----

thread 'pax_size_does_not_apply_to_extension_headers' (250476889) panicked at tests/all.rs:2121:27:
called `Result::unwrap()` on an `Err` value: Custom { kind: Other, error: "numeric field was not a number: AAAAAAAA when getting cksum for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

In the above case, the PoC is not weaponized, so it jumps into the middle of an entry and subsequently fails the checksum test rather than silently continuing with attacker-controlled archive state.

Impact

This is very similar to GHSA-j5gw-2vrg-8fgx and GHSA-fp55-jw48-c537 in impact -- an attacker can use this to extract (or not extract) files from a tar stream depending on the tar parser used, which in turn can be used to obscure the presence of malicious files.

Severity

Medium

References

• https://github.com/composefs/tar-rs/security/advisories/GHSA-3pv8-6f4r-ffg2
• https://github.com/composefs/tar-rs/pull/454
• https://github.com/composefs/tar-rs/commit/bab14dd84b411ac16ecb56d4f2d2f7bfb88a9838
• https://github.com/composefs/tar-rs/releases/tag/0.4.46
• https://github.com/advisories/GHSA-3pv8-6f4r-ffg2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

tar has a PAX header desynchronization issue

GHSA-3pv8-6f4r-ffg2

More information

Details

Summary

When a tar stream contains multiple "header" entries prior to a file entry, tar-rs applies the PAX header (x) to the next entry in the stream, regardless of type. For example, a stream of x -> L -> file (PAX, GNU longname, file) would result in x's extensions being applied to L rather than to file.

Per POSIX pax, this is incorrect: a PAX header always applies to a file entry, not any intermediary entries. See the "pax Header Block" section for the specific prescription there.

As a result of this, an attacker can contrive a tar containing a sequence of tar headers such that tar-rs applies the PAX header's size extension to the next header in sequence, effectively desynchronizing the stream and enabling tar-rs specific skippage/extraction of members. In other words, a file can be contrived to extract differently on tar-rs than on other tar parsers.

PoC

This tar (zipped for size) demonstrates the desynchronization: with tar tvf:

% tar tvf tests/archives/pax-overrides-extension-header.tar 
----------  0 0      0        2048 Dec 31  1969 longname.txt
----------  0 0      0           0 Dec 31  1969 file_b

with tar-rs:

---- pax_size_does_not_apply_to_extension_headers stdout ----

thread 'pax_size_does_not_apply_to_extension_headers' (250476889) panicked at tests/all.rs:2121:27:
called `Result::unwrap()` on an `Err` value: Custom { kind: Other, error: "numeric field was not a number: AAAAAAAA when getting cksum for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

In the above case, the PoC is not weaponized, so it jumps into the middle of an entry and subsequently fails the checksum test rather than silently continuing with attacker-controlled archive state.

Impact

This is very similar to GHSA-j5gw-2vrg-8fgx and GHSA-fp55-jw48-c537 in impact -- an attacker can use this to extract (or not extract) files from a tar stream depending on the tar parser used, which in turn can be used to obscure the presence of malicious files.

Severity

Moderate

References

• https://github.com/composefs/tar-rs/security/advisories/GHSA-3pv8-6f4r-ffg2
• https://github.com/composefs/tar-rs/pull/454
• https://github.com/composefs/tar-rs/commit/bab14dd84b411ac16ecb56d4f2d2f7bfb88a9838
• https://github.com/composefs/tar-rs
• https://github.com/composefs/tar-rs/releases/tag/0.4.46

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

composefs/tar-rs (tar)

v0.4.46

Compare Source

Security

• archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm) by @​cgwalters in #​454

See also GHSA-3cv2-h65g-fgmm

Other changes

• ci: Fix and re-enable reverse dependency testing by @​cgwalters in #​444
• Update astral-tokio-tar requirement from 0.5 to 0.6 by @​dependabot[bot] in #​446
• Update some links by @​atouchet in #​445
• Add support of absolute paths by @​zxvfc in #​426
• docs: Expand notes on concurrent mutations and following symlinks by @​cgwalters in #​453
• Update repo links by @​cgwalters in #​451
• ci: Add crates.io trusted publishing workflow by @​cgwalters in #​456
• Release 0.4.46 by @​cgwalters in #​455

New Contributors

• @​dependabot[bot] made their first contribution in #​446
• @​atouchet made their first contribution in #​445
• @​zxvfc made their first contribution in #​426

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

This change is 

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nativelink	Ready	Preview, Comment	May 30, 2026 1:42am
nativelink-aidm	Ready	Preview, Comment	May 30, 2026 1:42am