Rusty Security: Popular Tokio-Tar Crate Left Vulnerable with Unpatched Bugs
A vulnerability in the async-tar Rust crate has compromised the fast uv Python package manager. While some forks are patched, the widely-used tokio-tar remains unfixed, leaving it vulnerable to file overwriting and supply chain attacks. Edera’s team struggled to contact maintainers, calling tokio-tar “abandonware” and advising a switch to safer versions.
Hot Take:
In the latest episode of “As the Codebase Turns,” the Rust crate async-tar is serving up some spicy drama. It’s like a soap opera for nerds, complete with hidden files, abandoned projects, and a game of “who’s got the patch?” It’s a reminder that even the rustiest of languages can’t hide from logic errors – they’re like the cockroaches of programming, always finding a way in!
Key Points:
– A vulnerability in the async-tar Rust crate has affected the fast uv Python package manager.
– The bug allows hidden files in a tar archive by exploiting header parsing code.
– Edera discovered the flaw and reported potential risks like file overwriting and supply chain attacks.
– Multiple forks of async-tar exist, with only a few patched; the most popular one remains vulnerable.
– Edera highlights that Rust’s safety isn’t foolproof against logic errors.