Skip to content

archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)#454

Merged
cgwalters merged 1 commit into
composefs:mainfrom
cgwalters:pax-desync-more
May 18, 2026
Merged

archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)#454
cgwalters merged 1 commit into
composefs:mainfrom
cgwalters:pax-desync-more

Conversation

@cgwalters
Copy link
Copy Markdown
Collaborator

@cgwalters cgwalters commented May 18, 2026

Per POSIX pax, a PAX x header applies to the next file entry, not any intermediary extension headers (GNU LongName L, etc.). Violating this lets an attacker craft a tar that extracts differently under tar-rs than under other parsers — a file smuggling vector.

Mirrors astral-tokio-tar commit 36e734d (GHSA-3cv2-h65g-fgmm).

Assisted-by: OpenCode (claude-sonnet-4-6@default)

@cgwalters
archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)
077cecf 
Per POSIX pax, a PAX `x` header applies to the next *file* entry, not
any intermediary extension headers (GNU LongName `L`, etc.). Violating
this lets an attacker craft a tar that extracts differently under tar-rs
than under other parsers — a file smuggling vector.

Mirrors astral-tokio-tar commit 36e734d (GHSA-3cv2-h65g-fgmm).

Assisted-by: OpenCode (claude-sonnet-4-6@default)
Signed-off-by: Colin Walters <walters@verbum.org>
@cgwalters cgwalters merged commit bab14dd into composefs:main May 18, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cgwalters