Skip to content

Update tar to 0.4.45#16771

Merged
epage merged 2 commits intorust-lang:masterfrom
ehuss:tar-update-master
Mar 20, 2026
Merged

Update tar to 0.4.45#16771
epage merged 2 commits intorust-lang:masterfrom
ehuss:tar-update-master

Conversation

@ehuss
Copy link
Copy Markdown
Contributor

@ehuss ehuss commented Mar 20, 2026

This updates tar to 0.4.45 to fix CVE-2026-33055 and CVE-2026-33056.

ehuss added 2 commits March 19, 2026 16:43
@ehuss
Add a test for a tar file with a symlink and directory of the same name
ad18358 
This adds a test for a registry package where it has a symlink and a
directory with the same name. The `tar` crate is incorrectly changing
the permissions of the destination of the symlink (which can be anywhere
on the filesystem).
@ehuss
Update tar to 0.4.45
d2eb5fa 
This updates tar to 0.4.45 to fix CVE-2026-33055 and CVE-2026-33056.
@rustbot rustbot added A-testing-cargo-itself Area: cargo's tests S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 20, 2026
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Mar 20, 2026

r? @weihanglo

rustbot has assigned @weihanglo.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: @ehuss, @epage, @weihanglo
  • @ehuss, @epage, @weihanglo expanded to ehuss, epage, weihanglo
  • Random selection from epage, weihanglo

@epage epage enabled auto-merge March 20, 2026 00:28
@epage epage added this pull request to the merge queue Mar 20, 2026
Merged via the queue into rust-lang:master with commit 73a7886 Mar 20, 2026
31 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Mar 20, 2026
@weihanglo weihanglo mentioned this pull request Mar 20, 2026
Merged
rust-bors bot pushed a commit to rust-lang/rust that referenced this pull request Mar 20, 2026
@bors
Auto merge of #154148 - weihanglo:update-cargo, r=weihanglo
6e36035 
Update cargo submodule

13 commits in cbb9bb8bd0fb272b1be0d63a010701ecb3d1d6d3..d81735547e5f2844322f36380ab66f549cda11b9
2026-03-13 14:34:16 +0000 to 2026-03-20 13:20:51 +0000
- cargo clean: Validate that target_dir is not a file  (rust-lang/cargo#16765)
- fix: fetching non-standard git refspecs on non-github repos (rust-lang/cargo#16768)
- Update tar to 0.4.45 (rust-lang/cargo#16771)
- chore: Remove edition_lint_opts from Lint (rust-lang/cargo#16762)
- refactor: split out several smaller changes to prepare for async http (rust-lang/cargo#16763)
- fix(compile): Make build.warnings ignore non-local deps (rust-lang/cargo#16760)
- fix: detect circular publish dependency cycle in workspace publish (rust-lang/cargo#16722)
- refactor(shell): Pull out term integration into `anstyle-progress` (rust-lang/cargo#16757)
- test: reproduce rustfix panic on overlapping suggestions (rust-lang/cargo#16705)
- fix: Avoid panic for package specs with an empty fragment (rust-lang/cargo#16754)
- refactor(registry): avoid dynamic dispatch for Registry trait (rust-lang/cargo#16752)
- refactor(shell): Pull out hyperlink logic into anstyle-hyperlink (rust-lang/cargo#16749)
- refactor(install): Remove dead code (rust-lang/cargo#16718)

r? ghost
rust-bors bot pushed a commit to rust-lang/rust that referenced this pull request Mar 21, 2026
@bors
Auto merge of #154148 - weihanglo:update-cargo, r=weihanglo
44e6620 
Update cargo submodule

14 commits in cbb9bb8bd0fb272b1be0d63a010701ecb3d1d6d3..e84cb639edfea2c42efd563b72a9be0cc5de6523
2026-03-13 14:34:16 +0000 to 2026-03-21 01:27:07 +0000
- Fix symlink_and_directory when running in a long target dir name (rust-lang/cargo#16775)
- cargo clean: Validate that target_dir is not a file  (rust-lang/cargo#16765)
- fix: fetching non-standard git refspecs on non-github repos (rust-lang/cargo#16768)
- Update tar to 0.4.45 (rust-lang/cargo#16771)
- chore: Remove edition_lint_opts from Lint (rust-lang/cargo#16762)
- refactor: split out several smaller changes to prepare for async http (rust-lang/cargo#16763)
- fix(compile): Make build.warnings ignore non-local deps (rust-lang/cargo#16760)
- fix: detect circular publish dependency cycle in workspace publish (rust-lang/cargo#16722)
- refactor(shell): Pull out term integration into `anstyle-progress` (rust-lang/cargo#16757)
- test: reproduce rustfix panic on overlapping suggestions (rust-lang/cargo#16705)
- fix: Avoid panic for package specs with an empty fragment (rust-lang/cargo#16754)
- refactor(registry): avoid dynamic dispatch for Registry trait (rust-lang/cargo#16752)
- refactor(shell): Pull out hyperlink logic into anstyle-hyperlink (rust-lang/cargo#16749)
- refactor(install): Remove dead code (rust-lang/cargo#16718)
@rustbot rustbot added this to the 1.96.0 milestone Mar 21, 2026
makai410 pushed a commit to makai410/rustc_public that referenced this pull request Mar 27, 2026
@bors
Auto merge of #154148 - weihanglo:update-cargo, r=weihanglo
9b73ac8 
Update cargo submodule

14 commits in cbb9bb8bd0fb272b1be0d63a010701ecb3d1d6d3..e84cb639edfea2c42efd563b72a9be0cc5de6523
2026-03-13 14:34:16 +0000 to 2026-03-21 01:27:07 +0000
- Fix symlink_and_directory when running in a long target dir name (rust-lang/cargo#16775)
- cargo clean: Validate that target_dir is not a file  (rust-lang/cargo#16765)
- fix: fetching non-standard git refspecs on non-github repos (rust-lang/cargo#16768)
- Update tar to 0.4.45 (rust-lang/cargo#16771)
- chore: Remove edition_lint_opts from Lint (rust-lang/cargo#16762)
- refactor: split out several smaller changes to prepare for async http (rust-lang/cargo#16763)
- fix(compile): Make build.warnings ignore non-local deps (rust-lang/cargo#16760)
- fix: detect circular publish dependency cycle in workspace publish (rust-lang/cargo#16722)
- refactor(shell): Pull out term integration into `anstyle-progress` (rust-lang/cargo#16757)
- test: reproduce rustfix panic on overlapping suggestions (rust-lang/cargo#16705)
- fix: Avoid panic for package specs with an empty fragment (rust-lang/cargo#16754)
- refactor(registry): avoid dynamic dispatch for Registry trait (rust-lang/cargo#16752)
- refactor(shell): Pull out hyperlink logic into anstyle-hyperlink (rust-lang/cargo#16749)
- refactor(install): Remove dead code (rust-lang/cargo#16718)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@epage epage epage approved these changes

Assignees

@weihanglo weihanglo

Labels

A-testing-cargo-itself Area: cargo's tests

Projects

None yet

Milestone

1.96.0

Development

Successfully merging this pull request may close these issues.

4 participants

@ehuss @rustbot @epage @weihanglo