[Bug 2145764] Re: CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by following symlinks
Richard Scott McNew
2145764 at bugs.launchpad.net
Mon Mar 30 22:37:35 UTC 2026
** Tags added: foundations-todo
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rustc in Ubuntu.
Matching subscriptions: rustc-1.93
https://bugs.launchpad.net/bugs/2145764
Title:
CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by
following symlinks
Status in asusctl package in Ubuntu:
Deferred
Status in cargo package in Ubuntu:
New
Status in rust-astral-tokio-tar package in Ubuntu:
New
Status in rust-async-tar package in Ubuntu:
New
Status in rust-cargo-c package in Ubuntu:
New
Status in rust-tar package in Ubuntu:
New
Status in rustc package in Ubuntu:
New
Status in rustc-1.62 package in Ubuntu:
New
Status in rustc-1.74 package in Ubuntu:
New
Status in rustc-1.76 package in Ubuntu:
New
Status in rustc-1.77 package in Ubuntu:
New
Status in rustc-1.78 package in Ubuntu:
New
Status in rustc-1.79 package in Ubuntu:
New
Status in rustc-1.80 package in Ubuntu:
New
Status in rustc-1.81 package in Ubuntu:
New
Status in rustc-1.82 package in Ubuntu:
New
Status in rustc-1.83 package in Ubuntu:
New
Status in rustc-1.84 package in Ubuntu:
New
Status in rustc-1.85 package in Ubuntu:
New
Status in rustc-1.88 package in Ubuntu:
New
Status in rustc-1.89 package in Ubuntu:
New
Status in rustc-1.90 package in Ubuntu:
New
Status in rustc-1.91 package in Ubuntu:
New
Status in rustc-1.92 package in Ubuntu:
New
Status in rustc-1.93 package in Ubuntu:
In Progress
Status in cargo source package in Jammy:
New
Status in rust-tar source package in Jammy:
New
Status in rustc source package in Jammy:
New
Status in rustc-1.62 source package in Jammy:
New
Status in rustc-1.76 source package in Jammy:
New
Status in rustc-1.77 source package in Jammy:
New
Status in rustc-1.78 source package in Jammy:
New
Status in rustc-1.79 source package in Jammy:
New
Status in rustc-1.80 source package in Jammy:
New
Status in rustc-1.81 source package in Jammy:
New
Status in rustc-1.82 source package in Jammy:
New
Status in rustc-1.83 source package in Jammy:
New
Status in rustc-1.84 source package in Jammy:
New
Status in rustc-1.85 source package in Jammy:
New
Status in rustc-1.89 source package in Jammy:
New
Status in cargo source package in Noble:
New
Status in rust-async-tar source package in Noble:
New
Status in rust-cargo-c source package in Noble:
New
Status in rust-tar source package in Noble:
New
Status in rustc source package in Noble:
New
Status in rustc-1.74 source package in Noble:
New
Status in rustc-1.76 source package in Noble:
New
Status in rustc-1.77 source package in Noble:
In Progress
Status in rustc-1.78 source package in Noble:
New
Status in rustc-1.79 source package in Noble:
New
Status in rustc-1.80 source package in Noble:
New
Status in rustc-1.81 source package in Noble:
New
Status in rustc-1.82 source package in Noble:
New
Status in rustc-1.83 source package in Noble:
New
Status in rustc-1.84 source package in Noble:
New
Status in rustc-1.85 source package in Noble:
New
Status in rustc-1.89 source package in Noble:
New
Status in rustc-1.91 source package in Noble:
New
Status in rust-async-tar source package in Questing:
New
Status in rust-cargo-c source package in Questing:
New
Status in rust-tar source package in Questing:
New
Status in rustc-1.85 source package in Questing:
New
Status in rustc-1.88 source package in Questing:
New
Status in asusctl source package in Resolute:
Won't Fix
Status in rust-cargo-c source package in Resolute:
New
Status in rust-tar source package in Resolute:
New
Status in rustc-1.91 source package in Resolute:
New
Status in rustc-1.92 source package in Resolute:
New
Status in rustc-1.93 source package in Resolute:
In Progress
Bug description:
CVE record: https://www.cve.org/CVERecord?id=CVE-2026-33056
Rust packages which vendor tar-rs 0.4.44 and below bundle in a
vulnerability which allows malicious crates to change the
permissions on arbitrary directories.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asusctl/+bug/2145764/+subscriptions
More information about the foundations-bugs
mailing list