From 3c93f61b4de44db61839dda257d911b0a4b8e36c Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Tue, 21 Oct 2025 20:38:17 +0000
Subject: [PATCH] fix: migrate from tokio-tar to astral-tokio-tar

tokio-tar is unmaintained and has unpatched CVE-2025-62518.
More details on CVE are in <https://edera.dev/stories/tarmageddon>.
tokio-tar is only used for transferring backups
and worst case is that by manually inspecting
a carefully crafted backup user will not see
the same files as get unpacked when importing a backup.
---
 Cargo.lock | 61 +++++++++++++++++++-----------------------------------
 Cargo.toml |  2 +-
 deny.toml  |  2 --
 3 files changed, 22 insertions(+), 43 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index d574d22f7..db1fef9f4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -198,6 +198,21 @@ dependencies = [
  "syn 2.0.106",
 ]
 
+[[package]]
+name = "astral-tokio-tar"
+version = "0.5.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec179a06c1769b1e42e1e2cbe74c7dcdb3d6383c838454d063eaac5bbb7ebbe5"
+dependencies = [
+ "filetime",
+ "futures-core",
+ "libc",
+ "portable-atomic",
+ "rustc-hash",
+ "tokio",
+ "tokio-stream",
+]
+
 [[package]]
 name = "async-broadcast"
 version = "0.7.2"
@@ -1292,6 +1307,7 @@ name = "deltachat"
 version = "2.22.0"
 dependencies = [
  "anyhow",
+ "astral-tokio-tar",
  "async-broadcast",
  "async-channel 2.5.0",
  "async-imap",
@@ -1366,7 +1382,6 @@ dependencies = [
  "tokio-io-timeout",
  "tokio-rustls",
  "tokio-stream",
- "tokio-tar",
  "tokio-util",
  "toml",
  "tracing",
@@ -2013,14 +2028,14 @@ checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
 
 [[package]]
 name = "filetime"
-version = "0.2.23"
+version = "0.2.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ee447700ac8aa0b2f2bd7bc4462ad686ba06baa6727ac149a2d6277f0d240fd"
+checksum = "35c0522e981e68cbfa8c3f978441a5f34b30b96e146b33cd3359176b50fe8586"
 dependencies = [
  "cfg-if",
  "libc",
- "redox_syscall 0.4.1",
- "windows-sys 0.52.0",
+ "libredox",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -3269,6 +3284,7 @@ checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
 dependencies = [
  "bitflags 2.9.1",
  "libc",
+ "redox_syscall 0.5.12",
 ]
 
 [[package]]
@@ -4858,15 +4874,6 @@ dependencies = [
  "yasna",
 ]
 
-[[package]]
-name = "redox_syscall"
-version = "0.3.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29"
-dependencies = [
- "bitflags 1.3.2",
-]
-
 [[package]]
 name = "redox_syscall"
 version = "0.4.1"
@@ -6148,21 +6155,6 @@ dependencies = [
  "tokio-util",
 ]
 
-[[package]]
-name = "tokio-tar"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d5714c010ca3e5c27114c1cdeb9d14641ace49874aa5626d7149e47aedace75"
-dependencies = [
- "filetime",
- "futures-core",
- "libc",
- "redox_syscall 0.3.5",
- "tokio",
- "tokio-stream",
- "xattr",
-]
-
 [[package]]
 name = "tokio-tfo"
 version = "0.3.1"
@@ -7275,17 +7267,6 @@ dependencies = [
  "time",
 ]
 
-[[package]]
-name = "xattr"
-version = "1.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e105d177a3871454f754b33bb0ee637ecaaac997446375fd3e5d43a2ed00c909"
-dependencies = [
- "libc",
- "linux-raw-sys 0.4.14",
- "rustix 0.38.44",
-]
-
 [[package]]
 name = "xml-rs"
 version = "0.8.25"
diff --git a/Cargo.toml b/Cargo.toml
index 43bd54326..f50eda040 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -103,7 +103,7 @@ thiserror = { workspace = true }
 tokio-io-timeout = "1.2.1"
 tokio-rustls = { version = "0.26.2", default-features = false }
 tokio-stream = { version = "0.1.17", features = ["fs"] }
-tokio-tar = { version = "0.3" } # TODO: integrate tokio into async-tar
+astral-tokio-tar = { version = "0.5.6", default-features = false }
 tokio-util = { workspace = true }
 tokio = { workspace = true, features = ["fs", "rt-multi-thread", "macros"] }
 toml = "0.9"
diff --git a/deny.toml b/deny.toml
index 42d5ab5c5..50a9c8a3d 100644
--- a/deny.toml
+++ b/deny.toml
@@ -36,8 +36,6 @@ skip = [
      { name = "rand_chacha", version = "0.3.1" },
      { name = "rand_core", version = "0.6.4" },
      { name = "rand", version = "0.8.5" },
-     { name = "redox_syscall", version = "0.3.5" },
-     { name = "redox_syscall", version = "0.4.1" },
      { name = "rustix", version = "0.38.44" },
      { name = "serdect", version = "0.2.0" },
      { name = "spin", version = "0.9.8" },