Sign in / up

back to article Forking confusing: Vulnerable Rust crate exposes uv Python packager

A vulnerability in the popular Rust crate async-tar has affected the fast uv Python package manager, which uses a forked version that's now patched – but the most widely downloaded version remains unfixed. The vulnerability is an error in the header parsing code that allows an attacker to hide additional files in a tar archive …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. DarkwavePunk Silver badge

    What?

    What demonic level of abstraction is this horror? I remember when "tar" was just a useful command on SunOS for tape archive or a local filesystem facsimile thereof. What have we done?

    6 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: What?

      Cloud - ‘Someone else’s computer’

      FOSS - ‘Someone else’s software’… hopefully they are still interested/alive.

      0 1 Reply
  2. JimmyPage Silver badge
    WTF?

    I thought Rust was the most perfect thing ?

    I guess I should actually read some more

    4 4 Reply
  3. Apocalypso - a cheery end to the world Bronze badge

    Iffy tars rather than tariff-y problems

    (NT)

    0 2 Reply
  4. beast666 Silver badge

    Rust is not fit for purpose.

    1 13 Reply
  5. stiine Silver badge
    Facepalm

    I know, I know!!!

    Forks of forks of forks, but which ones are patched?

    Some of them, but none of them have the same patches applied.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon