Tarmageddon Open Source Abandonware
6 months ago
- #vulnerability
- #opensource
- #security
- Vulnerability impacts major projects like uv, testcontainers, and wasmCloud due to tokio-tar's widespread use.
- Active forks have been patched, but the main tokio-tar remains unpatched, posing a systemic challenge.
- Suggested remediation includes upgrading to patched versions or migrating to actively maintained forks like astral-tokio-tar.
- The vulnerability is a desynchronization flaw allowing attackers to smuggle additional archive entries into TAR extractions.
- Attack scenarios include Python build backend hijacking, container image poisoning, and BOM/manifest bypass.
- Patches prioritize PAX headers for size determination and validate header consistency between PAX and ustar records.
- Workarounds include using the standard tar crate or implementing runtime mitigations like post-extraction directory scanning.
- The disclosure highlights challenges with abandoned open-source dependencies and the need for defense-in-depth strategies.
- Timeline details the discovery, patching, and coordinated disclosure process over a 60-day embargo period.