astral-tokio-tar Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in the astral-tokio-tar library, which is used for reading and writing tar archives in asynchronous Rust. This vulnerability exists in versions through 0.5.3. When the Entry::unpack_in_raw API is used, tar archives may extract files outside of their intended destination directory. Additionally, the Entry::allow_external_symlinks control, which defaults to true, could be bypassed with a pair of symlinks that individually point within the destination but combine to point outside of it. These issues could be used separately or together to circumvent the security control that restricts extraction to the specified directory. As a result, an attacker could use a malicious tar archive to perform arbitrary file writes and potentially execute code by overwriting a file that is subsequently executed or used to run code.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with the potential to overwrite files that could be executed as code.

Reproduction

The vulnerability can be reproduced by creating a tar archive that includes symlinks pointing outside the intended extraction directory. When this archive is extracted using the 'uv' tool, the symlinks are followed, leading to files being written outside the destination directory. This behavior violates the PEP-721 specification for Python source distribution formats, which astral-tokio-tar's 'uv' integration should adhere to.

Remediation

Users are advised to upgrade to version 0.5.4 or later, where this vulnerability has been patched.