From c1f1a8eb0323c5495b9f9075c7cee7000aea424b Mon Sep 17 00:00:00 2001 From: Niklas Korz Date: Mon, 27 Oct 2025 09:58:27 +0100 Subject: [PATCH] Fix CVE-2025-62518 by migrating to astral-tokio-tar --- backend/Cargo.lock | 44 ++++++++++++----------------- backend/Cargo.toml | 2 +- backend/windmill-api/Cargo.toml | 2 +- backend/windmill-indexer/Cargo.toml | 2 +- 4 files changed, 21 insertions(+), 29 deletions(-) diff --git a/backend/Cargo.lock b/backend/Cargo.lock index cd4732b4e6d35..9061d914a4c6d 100644 --- a/backend/Cargo.lock +++ b/backend/Cargo.lock @@ -550,6 +550,22 @@ dependencies = [ "syn 2.0.108", ] +[[package]] +name = "astral-tokio-tar" +version = "0.5.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ec179a06c1769b1e42e1e2cbe74c7dcdb3d6383c838454d063eaac5bbb7ebbe5" +dependencies = [ + "filetime", + "futures-core", + "libc", + "portable-atomic", + "rustc-hash 2.1.1", + "tokio", + "tokio-stream", + "xattr", +] + [[package]] name = "async-broadcast" version = "0.7.2" @@ -10519,15 +10535,6 @@ dependencies = [ "bitflags 1.3.2", ] -[[package]] -name = "redox_syscall" -version = "0.3.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29" -dependencies = [ - "bitflags 1.3.2", -] - [[package]] name = "redox_syscall" version = "0.5.18" @@ -13773,21 +13780,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "tokio-tar" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d5714c010ca3e5c27114c1cdeb9d14641ace49874aa5626d7149e47aedace75" -dependencies = [ - "filetime", - "futures-core", - "libc", - "redox_syscall 0.3.5", - "tokio", - "tokio-stream", - "xattr", -] - [[package]] name = "tokio-tungstenite" version = "0.24.0" @@ -15187,6 +15179,7 @@ version = "1.566.1" dependencies = [ "anyhow", "argon2", + "astral-tokio-tar", "async-nats", "async-oauth2", "async-recursion", @@ -15275,7 +15268,6 @@ dependencies = [ "tokio-postgres 0.7.11", "tokio-postgres 0.7.13", "tokio-stream", - "tokio-tar", "tokio-tungstenite", "tokio-util", "tonic", @@ -15453,6 +15445,7 @@ name = "windmill-indexer" version = "1.566.1" dependencies = [ "anyhow", + "astral-tokio-tar", "bytes", "chrono", "const_format", @@ -15466,7 +15459,6 @@ dependencies = [ "tantivy", "tempfile", "tokio", - "tokio-tar", "tracing", "uuid", "windmill-common", diff --git a/backend/Cargo.toml b/backend/Cargo.toml index 2aa9a4f301a9a..f3f5155142a9a 100644 --- a/backend/Cargo.toml +++ b/backend/Cargo.toml @@ -255,7 +255,7 @@ async-oauth2 = "0.5.1" reqwest = { version = "^0.12", features = ["json", "stream", "gzip", "multipart"] } time = "^0" serde_urlencoded = "^0" -tokio-tar = "^0" +astral-tokio-tar = "0.5.6" tempfile = "^3" tokio-util = { version = "^0", features = ["io"] } json-pointer = "^0" diff --git a/backend/windmill-api/Cargo.toml b/backend/windmill-api/Cargo.toml index 34cb7adfe973f..989dddaec29f5 100644 --- a/backend/windmill-api/Cargo.toml +++ b/backend/windmill-api/Cargo.toml @@ -92,7 +92,7 @@ mail-parser = { workspace = true, features = ["serde_support"], optional = true magic-crypt.workspace = true tempfile.workspace = true tokio-util.workspace = true -tokio-tar.workspace = true +astral-tokio-tar.workspace = true tokio-postgres.workspace = true hmac.workspace = true cookie.workspace = true diff --git a/backend/windmill-indexer/Cargo.toml b/backend/windmill-indexer/Cargo.toml index 800fe4683525f..fa183b18f5e97 100644 --- a/backend/windmill-indexer/Cargo.toml +++ b/backend/windmill-indexer/Cargo.toml @@ -29,7 +29,7 @@ futures.workspace = true tempfile.workspace = true bytes.workspace = true object_store = { workspace = true, optional = true} -tokio-tar.workspace = true +astral-tokio-tar.workspace = true lazy_static.workspace = true const_format.workspace = true flume.workspace = true