[Bug 2145764] Re: CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by following symlinks

Richard Scott McNew 2145764 at bugs.launchpad.net
Fri Mar 27 14:58:05 UTC 2026 

We have been slowly working on packaging asusctl but it has never been
included in the Ubuntu archive:
https://launchpad.net/ubuntu/+source/asusctl

asusctl vendors a vulnerable version of the Rust tar crate:
https://git.launchpad.net/ubuntu/+source/asusctl/tree/vendor/tar

If we were to finish the packaging of asusctl, we would want to ensure
that the vendored tar crate is patched.  The patch itself is a one-line
change:  https://github.com/alexcrichton/tar-
rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446#diff-3dcefa956e75e2171b83e5134b542405a2adb7909a16dc03fad7fd92e8e2d945L449

I currently do not have time to finish packaging asusctl nor do I have
ASUS hardware to test it against.

I notified the other engineers who worked with asusctl in the past and
also the Security Engineering team for best practices and the
recommended way ahead to handle this scenario.


** Changed in: asusctl (Ubuntu Resolute)
   Importance: Undecided => Medium

** Changed in: asusctl (Ubuntu Resolute)
       Status: Confirmed => Deferred

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rustc in Ubuntu.
Matching subscriptions: rustc-1.93
https://bugs.launchpad.net/bugs/2145764

Title:
  CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by
  following symlinks

Status in asusctl package in Ubuntu:
  Deferred
Status in cargo package in Ubuntu:
  New
Status in rust-astral-tokio-tar package in Ubuntu:
  New
Status in rust-async-tar package in Ubuntu:
  New
Status in rust-cargo-c package in Ubuntu:
  New
Status in rust-tar package in Ubuntu:
  New
Status in rustc package in Ubuntu:
  New
Status in rustc-1.62 package in Ubuntu:
  New
Status in rustc-1.74 package in Ubuntu:
  New
Status in rustc-1.76 package in Ubuntu:
  New
Status in rustc-1.77 package in Ubuntu:
  New
Status in rustc-1.78 package in Ubuntu:
  New
Status in rustc-1.79 package in Ubuntu:
  New
Status in rustc-1.80 package in Ubuntu:
  New
Status in rustc-1.81 package in Ubuntu:
  New
Status in rustc-1.82 package in Ubuntu:
  New
Status in rustc-1.83 package in Ubuntu:
  New
Status in rustc-1.84 package in Ubuntu:
  New
Status in rustc-1.85 package in Ubuntu:
  New
Status in rustc-1.88 package in Ubuntu:
  New
Status in rustc-1.89 package in Ubuntu:
  New
Status in rustc-1.90 package in Ubuntu:
  New
Status in rustc-1.91 package in Ubuntu:
  New
Status in rustc-1.92 package in Ubuntu:
  New
Status in rustc-1.93 package in Ubuntu:
  In Progress
Status in cargo source package in Jammy:
  New
Status in rust-tar source package in Jammy:
  New
Status in rustc source package in Jammy:
  New
Status in rustc-1.62 source package in Jammy:
  New
Status in rustc-1.76 source package in Jammy:
  New
Status in rustc-1.77 source package in Jammy:
  New
Status in rustc-1.78 source package in Jammy:
  New
Status in rustc-1.79 source package in Jammy:
  New
Status in rustc-1.80 source package in Jammy:
  New
Status in rustc-1.81 source package in Jammy:
  New
Status in rustc-1.82 source package in Jammy:
  New
Status in rustc-1.83 source package in Jammy:
  New
Status in rustc-1.84 source package in Jammy:
  New
Status in rustc-1.85 source package in Jammy:
  New
Status in rustc-1.89 source package in Jammy:
  New
Status in cargo source package in Noble:
  New
Status in rust-async-tar source package in Noble:
  New
Status in rust-cargo-c source package in Noble:
  New
Status in rust-tar source package in Noble:
  New
Status in rustc source package in Noble:
  New
Status in rustc-1.74 source package in Noble:
  New
Status in rustc-1.76 source package in Noble:
  New
Status in rustc-1.77 source package in Noble:
  In Progress
Status in rustc-1.78 source package in Noble:
  New
Status in rustc-1.79 source package in Noble:
  New
Status in rustc-1.80 source package in Noble:
  New
Status in rustc-1.81 source package in Noble:
  New
Status in rustc-1.82 source package in Noble:
  New
Status in rustc-1.83 source package in Noble:
  New
Status in rustc-1.84 source package in Noble:
  New
Status in rustc-1.85 source package in Noble:
  New
Status in rustc-1.89 source package in Noble:
  New
Status in rustc-1.91 source package in Noble:
  New
Status in rust-async-tar source package in Questing:
  New
Status in rust-cargo-c source package in Questing:
  New
Status in rust-tar source package in Questing:
  New
Status in rustc-1.85 source package in Questing:
  New
Status in rustc-1.88 source package in Questing:
  New
Status in asusctl source package in Resolute:
  Deferred
Status in rust-cargo-c source package in Resolute:
  New
Status in rust-tar source package in Resolute:
  New
Status in rustc-1.91 source package in Resolute:
  New
Status in rustc-1.92 source package in Resolute:
  New
Status in rustc-1.93 source package in Resolute:
  In Progress

Bug description:
  CVE record: https://www.cve.org/CVERecord?id=CVE-2026-33056

  Rust packages which vendor tar-rs 0.4.44 and below bundle in a
  vulnerability which allows malicious crates to change the
  permissions on arbitrary directories.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asusctl/+bug/2145764/+subscriptions

More information about the foundations-bugs mailing list