FIND-20260329-018 · 2026-03-29 · Innovation Veille

CVE-2026-33056 Rust/Cargo tar-rs arbitrary directory chmod via symlink — fixed in Rust 1.94.1

cve MEDIUM
CVE-2026-33056 (CVSS 5.1 MEDIUM) affects tar-rs <= 0.4.44. The unpack_in function follows symlinks when checking if a path is a directory, allowing a crafted tarball to chmod arbitrary directories on the filesystem when Cargo extracts a malicious crate during a build. Fixed in tar-rs 0.4.45, shipped in Rust 1.94.1 (released March 26, 2026). crates.io was patched on March 13 to block uploading exploiting crates. All previously published crates were audited. Severity is MEDIUM since exploitation requires user interaction (building a malicious crate). ODS developers upgrading to Rust 1.94.1 are protected.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

ODS Rust services (billing-engine, oid, pdf-engine, docstore): developers running cargo build with untrusted dependencies or crates from unknown sources are at risk on Rust < 1.94.1. CI/CD environments should pin to Rust 1.94.1+. Low practical risk since ODS only uses vetted crates, but Rust toolchain upgrade is still recommended.

Security Review

License: N/A | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

rust cargo cve supply-chain tar symlink
Generated by ODS Innovation Veille · 2026-03-29T09:05:47+00:00