Deps.rs

cargo-deb 1.17.0

[![dependency status](https://deps.rs/crate/cargo-deb/1.17.0/status.svg)](https://deps.rs/crate/cargo-deb/1.17.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate cargo-deb

Dependencies

(14 total, 7 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 ar^0.6.00.9.0out of date
 cargo_toml^0.6.00.22.3out of date
 getopts^0.2.180.2.24up to date
 glob^0.2.110.3.3out of date
 md5^0.6.00.8.0out of date
 quick-error^1.2.22.0.1out of date
 rayon^1.0.31.11.0up to date
 serde^1.0.771.0.228up to date
 serde_derive^1.0.111.0.228up to date
 serde_json^1.0.21.0.149up to date
 tar ⚠️^0.4.160.4.45maybe insecure
 toml^0.4.41.1.2+spec-1.1.0out of date
 xz2^0.1.60.1.7up to date
 zopfli^0.4.00.8.3out of date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tempdir^0.3.60.3.7up to date

Security Vulnerabilities

tar: `unpack_in` can chmod arbitrary directories by following symlinks

RUSTSEC-2026-0067

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.

This issue has been fixed in version 0.4.45.

tar: tar-rs incorrectly ignores PAX size headers if header size is nonzero

RUSTSEC-2026-0068

Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero.

As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue.

Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size — other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers.

This issue has been fixed in version 0.4.45.