async-tar and it's forks are vulnerable

[lolbinarycat]

see CVE-2025-62518, GHSA-j5gw-2vrg-8fgx, and this announcement blogpost.

This should be added to the rustsec database so library maintainers will be informed about it when running cargo audit.

[djc]

Want to submit an advisory? cc @woodruffw

[woodruffw]

Yeah, it'd be great to have RUSTSEC advisories for these. For context, the CVE is only for astral-tokio-tar (which is patched), the other forks of tokio-tar are potentially not patched or have divergent versions (I'm not familiar with them).

[woodruffw]

@lolbinarycat if you're interested in submitting these entries, I'd be happy to review them. Otherwise, I can probably find some time tomorrow to submit these.

[lolbinarycat]

I can submit advisories for these, though it will probably take until at least tomorrow.

Should I also submit separate "unmaintained" advisories, or is one advisory per crate enough?

[djc]

One advisory per crate is enough, just state explicitly that it is unmaintained and no fixes are expected to be forthcoming (or some such).

Thanks!

[jayvdb]

so we have #2442 and #2443 merged - what else is needed here?

[woodruffw]

I believe krata-tokio-tar also needs an advisory, at least based on Edera's post.