VYPR

apk package

chainguard/cargo-c

pkg:apk/chainguard/cargo-c

Vulnerabilities (10)

  • CVE-2026-33056Mar 20, 2026
    affected < 0.10.21-r3fixed 0.10.21-r3

    tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links,

  • CVE-2026-33055Mar 20, 2026
    affected < 0.10.21-r3fixed 0.10.21-r3

    tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz

  • CVE-2026-25727Feb 6, 2026
    affected < 0.10.20-r3fixed 0.10.20-r3

    time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used

  • CVE-2026-25541Feb 4, 2026
    affected < 0.10.20-r2fixed 0.10.20-r2

    Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe

  • CVE-2026-0810Jan 26, 2026
    affected < 0.10.21-r0fixed 0.10.21-r0

    A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are

  • CVE-2025-58160LowAug 29, 2025
    affected < 0.10.15-r1fixed 0.10.15-r1

    tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i

  • CVE-2025-4574MedMay 13, 2025
    affected < 0.10.12-r1fixed 0.10.12-r1

    In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

  • CVE-2025-31130MedApr 4, 2025
    affected < 0.10.18-r0fixed 0.10.18-r0

    gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 withou

  • CVE-2024-45405MedSep 6, 2024
    affected < 0.10.4-r0fixed 0.10.4-r0

    `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolv

  • CVE-2024-45305LowSep 2, 2024
    affected < 0.10.4-r0fixed 0.10.4-r0

    gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if