[Bug]: Tokio-tar issue #3216
Description
In the latest builds, we're getting flagged for a CVE in tokio-tar, see e.g. this build:
This is only used via testcontainers, in our integration testing setup.
error[vulnerability]: `tokio-tar` parses PAX extended headers incorrectly, allows file smuggling
┌─ /github/workspace/Cargo.lock:308:1
│
308 │ tokio-tar 0.3.1 registry+https://github.com/rust-lang/crates.io-index
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
│
├ ID: RUSTSEC-2025-0111
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0111
├ The archive reader incorrectly handles PAX extended headers, when the ustar
header incorrectly specifies zero size (`size=000000000000`), while a PAX
header specifies a non-zero size, `tokio-tar::Archive` is going to read the
file content as tar entry header.
This can be used by a tar file to present different content to `tokio-tar`
compared to other tar reader implementations.
This bug is also known as `CVE-2025-62518` and `GHSA-j5gw-2vrg-8fgx`, as those
crates share a common ancestor codebase.
The `tokio-tar` crate is archived and no longer maintained, we recommend you
switch to an alternative crate such as:
- [`astral-tokio-tar`](https://crates.io/crates/astral-tokio-tar)
├ Announcement: https://edera.dev/stories/tarmageddon
├ Solution: No safe upgrade is available!
├ tokio-tar v0.3.1
└── testcontainers v0.23.1
└── integration_test_runner v0.1.0
It looks like bumping testcontainers up to v0.25.2 shifts to use astral-tokio-tar which is good, but also forces an MSRV update to 1.85.0.