astral-tokio-tar Malformed PAX Extension Handling Vulnerability

A vulnerability exists in astral-tokio-tar, a tar archive library for asynchronous Rust, in versions through 0.5.6. The issue arises because malformed PAX extensions were silently ignored during tar archive parsing. This lack of proper validation could be exploited by a secondary tar parser that misinterprets these invalid extensions. For instance, a malformed GNU 'long link' extension could be overlooked by astral-tokio-tar, leading to misinterpretation by another parser. This vulnerability is considered low-severity, as it requires an additional flaw in an unrelated tar parser to be exploited.

Impact

The vulnerability could create a parser differential, allowing a secondary tar parser to misinterpret skipped malformed PAX extensions, potentially leading to incorrect handling of archive contents.

Reproduction

The vulnerability can be reproduced by using astral-tokio-tar version 0.5.6 or earlier to parse a tar archive containing a malformed PAX extension, such as an improperly formatted 'long link' extension. This should be done in conjunction with a secondary tar parser that inadequately validates PAX extensions, allowing the misinterpretation to occur.

Remediation

Users are advised to upgrade to astral-tokio-tar version 0.6.0 or newer, which includes a patch that rejects invalid PAX extensions instead of silently ignoring them.