Oh no rust brothers... this popular abandonware library has Remote Code Execution vulnerability even rust were told to be safe language!
How much do we bet it was some tiny useless library 4 levels deep in the cargo dependency tree?
>dangers of open source abandonwareBro just fork it and fix the fucking problem? If anything this is a problem with closed source abandonware
>>106963600>overstated danger>overstated impact>overstated relevance of who's affected>lame name and logothat's a "modern" CVE alright.and of course we already have /g/eets falling for it
>>106963824RCE is still one that matters. These are the ones that the glowies use to pop boxes of people they don't like. They send you a tar file, you open it and bam they've installed a backdoor. Great job not worrying about CVEs.
great, now all the low-IQ brain damaged rust haters can point to the rare vulnerability and say RuSt NoT sAfE1!!!!when not a single knowledgeable person has ever said it was a perfect silver bullet. if someone goes out of their way to fuck up then you can introduce a vuln. but nope, the brain damaged will invent their own narratives.hey guys lets not install locks, doors, windows, or have any sort of shelter because one builder out in fucking alabama didnt install hinges right and one single person got their house broken into!!! <--- thats your logic, fucking idiots
>>106963707to add to what i wrote in >>106963824start readinghttps://edera.dev/stories/tarmageddonand you will realize quickly that the exaggeration here borders on lying.>in the popular async-tar Rust library and its deep lineage of forks, including the widely used tokio-tar.those crates don't appear to be that popular:https://crates.io/crates/async-tar/reverse_dependencieshttps://crates.io/crates/tokio-tar/reverse_dependencieshttps://crates.io/crates/astral-tokio-tar/reverse_dependencies>This vulnerability impacts major, widely-used projects, oh shit, IS IT OVER!>including uv, testcontainers, and wasmCloud.fucking who? lmaothe only one i ever head of is uv. let's see what they have to say:>In practice, the impact of this vulnerability is low: only source distributions can be formatted as tar archives, and source distributions execute arbitrary code at build/installation time by definition. Consequently, a parser differential in tar extraction is strictly less powerful than the capabilities already exposed to an attacker who has the ability to control source distributions.https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9-----this how many "modern" CVEs are. a load of exaggerated bullshit.
>>106963836see >>106963909
>>106963909True, they're mostly edge cases. CVEs are like "Your computer will EXPLODE CVSS RATING 8.65" and you read the fine print and it's like "You have to enable the setting 'I'm a stupid fucking idiot' and put it into cum mode when the moon is in its primary lunar orbit"
this is actually a bug in the 13 different tar specifications
>>106963879>perfect silver bulletevery single rust user have made this claim actually
>>106963600does this affect GNU tar?
>>106964545this is neither significant, nor is anything significant affected by it. the tar crate (the relevant rust implementation) is not affected. non-rust implementations are not affected, although they would have their own vulnerabilities/bugs. gnu tar for example had this:https://www.cve.org/CVERecord?id=CVE-2025-45582
