tar-rs PAX Header Handling Vulnerability Leading to Archive Desynchronization

A boundary parsing vulnerability has been identified in the tar-rs library, which is a tar archive reading and writing library for Rust. This vulnerability exists in versions through 0.4.44. The issue arises from the library's conditional logic that skips the PAX size header when the base header size is nonzero. This behavior is inconsistent with other tar parsers, such as Go's archive/tar, which always honor the PAX size override. As a result, archives created with this discrepancy can be interpreted differently by various archivers, leading to potential issues such as smuggling additional entries, a problem known to affect crates.io.

Impact

The vulnerability can cause desynchronization between tar parsers, leading to inconsistent interpretations of archive contents. This issue is particularly problematic for tools like Cargo, which may inadvertently process smuggled entries due to this parsing differential.

Reproduction

The vulnerability can be reproduced by creating a tar archive that exploits the PAX size smuggling issue. This involves crafting an archive with a PAX header that declares a size larger than what the ustar header indicates. When this archive is parsed with tar-rs, the parser incorrectly reads the PAX size, allowing a symlink entry to be exposed, which would normally be hidden.

Remediation

Users can upgrade to tar-rs version 0.4.45, which unconditionally honors PAX size headers, ensuring consistent parsing across different tar libraries.