Deps.rs

cargo-deb 1.44.1

[![dependency status](https://deps.rs/crate/cargo-deb/1.44.1/status.svg)](https://deps.rs/crate/cargo-deb/1.44.1)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate cargo-deb

Dependencies

(20 total, 5 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 ar^0.9.00.9.0up to date
 cargo_toml^0.15.20.22.3out of date
 crossbeam-channel^0.5.60.5.15up to date
 env_logger^0.10.00.11.10out of date
 flate2^1.0.251.1.9up to date
 getopts^0.2.210.2.24up to date
 glob^0.3.10.3.3up to date
 itertools^0.10.50.14.0out of date
 log^0.4.170.4.32up to date
 md5^0.7.00.8.0out of date
 num_cpus^1.15.01.17.0up to date
 quick-error^2.0.12.0.1up to date
 rayon^1.6.11.12.0up to date
 regex^1.7.01.12.3up to date
 serde^1.0.1521.0.228up to date
 serde_json^1.0.931.0.150up to date
 tar ⚠️^0.4.380.4.46maybe insecure
 tempfile^3.3.03.27.0up to date
 toml^0.7.21.1.2+spec-1.1.0out of date
 xz2^0.1.70.1.7up to date

Dev dependencies

(3 total, 2 outdated)

CrateRequiredLatestStatus
 lazy_static^1.4.01.5.0up to date
 mockall^0.11.30.14.0out of date
 rstest^0.17.00.26.1out of date

Security Vulnerabilities

tar: `unpack_in` can chmod arbitrary directories by following symlinks

RUSTSEC-2026-0067

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.

This issue has been fixed in version 0.4.45.

tar: tar-rs incorrectly ignores PAX size headers if header size is nonzero

RUSTSEC-2026-0068

Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero.

As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue.

Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size — other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers.

This issue has been fixed in version 0.4.45.