[Bug 2145764] Re: CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by following symlinks
Brent Kerby
2145764 at bugs.launchpad.net
Tue Mar 31 20:52:28 UTC 2026
Here are the fixes for the `rustc` package, ready for copying:
Noble: https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18278525/+listing-archive-extra
Jammy: https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18271405/+listing-archive-extra
Focal: https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18271467/+listing-archive-extra
Bionic: https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18272042/+listing-archive-extra
Xenial: https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18272065/+listing-archive-extra
Trusty: https://launchpad.net/~rust-toolchain/+archive/ubuntu/staging/+sourcepub/18272130/+listing-archive-extra
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rustc in Ubuntu.
Matching subscriptions: rustc-1.93
https://bugs.launchpad.net/bugs/2145764
Title:
CVE-2026-33056: Vendored tar crate can chmod arbitrary directories by
following symlinks
Status in asusctl package in Ubuntu:
Deferred
Status in cargo package in Ubuntu:
New
Status in rust-astral-tokio-tar package in Ubuntu:
New
Status in rust-async-tar package in Ubuntu:
New
Status in rust-cargo-c package in Ubuntu:
Fix Committed
Status in rust-tar package in Ubuntu:
New
Status in rustc package in Ubuntu:
New
Status in rustc-1.62 package in Ubuntu:
New
Status in rustc-1.74 package in Ubuntu:
New
Status in rustc-1.76 package in Ubuntu:
New
Status in rustc-1.77 package in Ubuntu:
New
Status in rustc-1.78 package in Ubuntu:
New
Status in rustc-1.79 package in Ubuntu:
New
Status in rustc-1.80 package in Ubuntu:
New
Status in rustc-1.81 package in Ubuntu:
New
Status in rustc-1.82 package in Ubuntu:
New
Status in rustc-1.83 package in Ubuntu:
New
Status in rustc-1.84 package in Ubuntu:
New
Status in rustc-1.85 package in Ubuntu:
New
Status in rustc-1.88 package in Ubuntu:
New
Status in rustc-1.89 package in Ubuntu:
New
Status in rustc-1.90 package in Ubuntu:
New
Status in rustc-1.91 package in Ubuntu:
Fix Committed
Status in rustc-1.92 package in Ubuntu:
Fix Committed
Status in rustc-1.93 package in Ubuntu:
Fix Committed
Status in cargo source package in Jammy:
New
Status in rust-tar source package in Jammy:
New
Status in rustc source package in Jammy:
New
Status in rustc-1.62 source package in Jammy:
New
Status in rustc-1.76 source package in Jammy:
New
Status in rustc-1.77 source package in Jammy:
New
Status in rustc-1.78 source package in Jammy:
New
Status in rustc-1.79 source package in Jammy:
New
Status in rustc-1.80 source package in Jammy:
New
Status in rustc-1.81 source package in Jammy:
New
Status in rustc-1.82 source package in Jammy:
New
Status in rustc-1.83 source package in Jammy:
New
Status in rustc-1.84 source package in Jammy:
New
Status in rustc-1.85 source package in Jammy:
New
Status in rustc-1.89 source package in Jammy:
New
Status in cargo source package in Noble:
New
Status in rust-async-tar source package in Noble:
New
Status in rust-cargo-c source package in Noble:
New
Status in rust-tar source package in Noble:
New
Status in rustc source package in Noble:
New
Status in rustc-1.74 source package in Noble:
New
Status in rustc-1.76 source package in Noble:
New
Status in rustc-1.77 source package in Noble:
In Progress
Status in rustc-1.78 source package in Noble:
New
Status in rustc-1.79 source package in Noble:
New
Status in rustc-1.80 source package in Noble:
New
Status in rustc-1.81 source package in Noble:
New
Status in rustc-1.82 source package in Noble:
New
Status in rustc-1.83 source package in Noble:
New
Status in rustc-1.84 source package in Noble:
New
Status in rustc-1.85 source package in Noble:
New
Status in rustc-1.89 source package in Noble:
New
Status in rustc-1.91 source package in Noble:
New
Status in rust-async-tar source package in Questing:
New
Status in rust-cargo-c source package in Questing:
New
Status in rust-tar source package in Questing:
New
Status in rustc-1.85 source package in Questing:
New
Status in rustc-1.88 source package in Questing:
New
Status in asusctl source package in Resolute:
Won't Fix
Status in rust-cargo-c source package in Resolute:
Fix Committed
Status in rust-tar source package in Resolute:
New
Status in rustc-1.91 source package in Resolute:
Fix Committed
Status in rustc-1.92 source package in Resolute:
Fix Committed
Status in rustc-1.93 source package in Resolute:
Fix Committed
Bug description:
CVE record: https://www.cve.org/CVERecord?id=CVE-2026-33056
Rust packages which vendor tar-rs 0.4.44 and below bundle in a
vulnerability which allows malicious crates to change the
permissions on arbitrary directories.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asusctl/+bug/2145764/+subscriptions
More information about the foundations-bugs
mailing list