Tracking issue: Rust Tarmageddon (CVE-2025-62518)

[niklaskorz]

CVE-2025-62518 / GHSA-j5gw-2vrg-8fgx revealed a high severity vulnerability in:

• astral-tokio-tar (fixed in 0.5.6)
• async-tar (fixed in 0.5.1)
• tokio-tar (no fixed version available)
• and potentially other, less popular forks of async-tar

The following packages reference potentially vulnerable versions of these crates.
Ideally, we can bump these to the fixed version of astral-tokio-tar or async-tar, preferably as an upstream PR.
If not, we have to assess whether the package itself has to be marked as vulnerable.
The list was generated by rg -l 'cargoDeps|cargoLock|cargoHash' pkgs/ and a very hacky Python script.

• bindle bindle: drop #455361 [25.05] bindle: mark as vulnerable #455537
• cargo-binstall cargo-binstall: 1.15.7 -> 1.15.9, fix CVE-2025-62518, add versionCheckHook #455310 [Backport release-25.05] cargo-binstall: 1.12.4 -> 1.15.9 #455917
• cotton cotton: drop #455326 [25.05] cotton: mark as vulnerable to CVE-2025-62518 #455990
• orogene orogene: drop #455328 [25.05] orogene: mark vulnerable #455424
• pixi pixi: 0.58.0 -> 0.59.0 #456779 [25.05] pixi: patch Cargo.lock to fix Tarmageddon #457802
• pixi-pack pixi-pack: 0.7.3 -> 0.7.4 #454568 [Backport release-25.05] pixi-pack: 0.6.2 -> 0.7.4 #455591
• pods pods: 2.1.2 -> 2.2.0, fix CVE-2025-62518, add versionCheckHook #455333 [Backport release-25.05] pods: 2.1.2 -> 2.2.0, fix CVE-2025-62518, add versionCheckHook #455899
• prek prek: 0.2.4 -> 0.2.11 #454497
• protonup-rs protonup-rs: 0.9.1 -> 0.9.2 #457012
• static-web-server static-web-server: 2.38.1 -> 2.39.0 #455702 [Backport release-25.05] static-web-server: 2.36.1 -> 2.39.0 #455816
• uv uv: 0.9.4 -> 0.9.5 #454303 uv: fix CVE-2025-62518 #454422
• wash-cli wash-cli: 0.39.0 -> 1.0.0-beta.10 #457188
• zed-editor zed-editor: 0.208.6 -> 0.209.5 #454738 [release-25.05] zed-editor: fix CVE-2025-62518 #455479
• python3Packages.aiotarfile python3Packages.aiotarfile: 0.5.1 -> 0.5.2 #455304 [Backport release-25.05] python3Packages.aiotarfile: 0.5.1 -> 0.5.2 #455330
• python3Packages.uv-build uv: 0.9.4 -> 0.9.5 #454303 uv: fix CVE-2025-62518 #454422

[sandydoo]

Thanks for the heads up, @niklaskorz. devenv can be marked off the list as it's not affected by the vulnerability.

The affected crate of ours is not distributed on nixpkgs. We'll get it patched, but there's no need to rush a release through nixpkgs for devenv itself.