Amazon Linux 2023 Security Advisory: ALAS2023-2026-1565
Advisory Released Date: 2026-04-13
Advisory Updated Date: 2026-04-13
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45. (CVE-2026-33055)
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory -- and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45. (CVE-2026-33056)
Affected Packages:
clamav1.5
Issue Correction:
Run dnf update clamav1.5 --releasever 2023.11.20260413 or dnf update --advisory ALAS2023-2026-1565 --releasever 2023.11.20260413 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
clamd1.5-debuginfo-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-freshclam-debuginfo-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-debuginfo-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-devel-1.5.1-1.amzn2023.0.5.aarch64
clamd1.5-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-milter-debuginfo-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-lib-debuginfo-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-milter-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-freshclam-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-lib-1.5.1-1.amzn2023.0.5.aarch64
clamav1.5-debugsource-1.5.1-1.amzn2023.0.5.aarch64
noarch:
clamav1.5-data-1.5.1-1.amzn2023.0.5.noarch
clamav1.5-doc-1.5.1-1.amzn2023.0.5.noarch
clamav1.5-filesystem-1.5.1-1.amzn2023.0.5.noarch
src:
clamav1.5-1.5.1-1.amzn2023.0.5.src
x86_64:
clamav1.5-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-milter-debuginfo-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-lib-debuginfo-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-debuginfo-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-devel-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-freshclam-debuginfo-1.5.1-1.amzn2023.0.5.x86_64
clamd1.5-debuginfo-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-milter-1.5.1-1.amzn2023.0.5.x86_64
clamd1.5-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-debugsource-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-freshclam-1.5.1-1.amzn2023.0.5.x86_64
clamav1.5-lib-1.5.1-1.amzn2023.0.5.x86_64