tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
1.15.1+dfsg0-1~exp1ubuntu2~14.04.71.17.0+dfsg2-8~ubuntu0.14.04.31.21.0+dfsg1+llvm-0ubuntu3~14.04.51.22.1+dfsg1+llvm-0ubuntu2~14.04.21.24.1+dfsg1+llvm-0ubuntu1~14.04.11.25.0+dfsg1+llvm-0ubuntu1~14.04.11.28.0+dfsg1+llvm-0ubuntu1~14.04.11.30.0+dfsg1+llvm-2ubuntu1~14.04.11.31.0+dfsg1+llvm-2ubuntu1~14.04.11.15.1+dfsg0-1~exp1ubuntu2~16.04.31.17.0+dfsg2-8~ubuntu0.16.04.21.21.0+dfsg1+llvm-0ubuntu3~16.04.11.22.1+dfsg1+llvm-0ubuntu2~16.04.21.24.1+dfsg1+llvm-0ubuntu1~16.04.11.25.0+dfsg1+llvm-0ubuntu1~16.04.11.28.0+dfsg1+llvm-0ubuntu1~16.04.11.30.0+dfsg1+llvm-2ubuntu1~16.04.11.31.0+dfsg1+llvm-2ubuntu1~16.04.11.32.0+dfsg1+llvm-1ubuntu1~16.04.1+9 more1.18.0+dfsg1-4ubuntu11.24.1+dfsg1+llvm-0ubuntu11.24.1+dfsg1+llvm-0ubuntu21.25.0+dfsg1+llvm-0ubuntu11.28.0+dfsg1+llvm-0ubuntu1~18.04.11.30.0+dfsg1+llvm-2ubuntu1~18.04.11.31.0+dfsg1+llvm-2ubuntu1~18.04.11.32.0+dfsg1+llvm-1ubuntu1~18.04.11.34.1+dfsg2+llvm-0ubuntu1~18.04.11.35.0+dfsg0.1+llvm-0ubuntu1~18.04.1+12 more0.4.26-11.37.0+dfsg1+llvm-1ubuntu11.38.0+dfsg0.2+llvm-0ubuntu11.38.0+dfsg0.2+llvm-0ubuntu21.39.0+dfsg1+llvm-3ubuntu11.40.0+dfsg1+llvm-5ubuntu11.41.0+dfsg1+llvm-0ubuntu11.41.0+dfsg1+llvm-0ubuntu21.43.0+dfsg1+llvm-1~exp1ubuntu1~20.04.11.47.0+dfsg1+llvm-1ubuntu1~20.04.11.51.0+dfsg1+llvm-1~exp3ubuntu1~20.04.2+13 more1.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.041.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.20.041.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.041.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.11.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.20.04Exploitability
AV:NAC:LAT:NPR:NUI:AVulnerable System
VC:NVI:LVA:NSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N