Tarmageddon Open Source Abandonware

Summary

This vulnerability impacts major, widely-used projects, including uv (Astral's lightning-fast Python package manager), testcontainers, and wasmCloud. Due to the widespread nature of tokio-tar in various forms, it is not possible to truly quantify upfront the blast radius of this bug across the ecosystem.While the active forks have been successfully patched (see also Astral Security Advisory), this disclosure highlights a major systemic challenge: the highly downloaded tokio-tar remains unpatched.Our suggested remediation is to immediately upgrade to one of the patched versions or remove this dependency. If you depend on tokio-tar, consider migrating to an actively maintained fork like astral-tokio-tar. In addition, the Edera fork krata-tokio-tar will be archived to coalesce all efforts with the astral fork and reduce the ecosystem confusion.The Challenge of Abandonware: A Decentralized Responsible DisclosureThis vulnerability disclosure was uniquely challenging because the most popular fork (tokio-tar, with over 5 million downloads on crates.io) appears to be abandonware – no longer actively maintained.In a standard disclosure, a single patch is applied to the main upstream repository, and all downstream users inherit the fix. Because we could not rely on the original project maintainers to apply the fix, we were forced to coordinate a decentralized disclosure across a deep and complex fork lineage:async-tar (Root) ➡️ tokio-tar (Most popular fork, abandoned) ➡️ krata-tokio-tar (Originally maintained by Edera, now archived) ➡️ astral-tokio-tar (Actively maintained by Astral)Instead of a single point of contact, we had to:Develop patches for the upstream versions.Identify and reach out to the maintainers of the unmaintained upstream repositories (tokio-tar and async-tar). Neither project had a SECURITY.md or public contact method, so it required some social engineering and community sleuthing to locate the right maintainers. Individually contact the maintainers of the...