1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202402-12 ] GNU Tar: Out of Bounds Read

    From [email protected]@21:1/5 to All on Sun Feb 18 08:30:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202402-12
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: GNU Tar: Out of Bounds Read
    Date: February 18, 2024
    Bugs: #898176
    ID: 202402-12

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in GNU Tar which may lead to an out
    of bounds read.

    Background
    ==========

    The GNU Tar program provides the ability to create tar archives, as well
    as various other kinds of manipulation.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------ ------------ ------------
    app-arch/tar < 1.34-r3 >= 1.34-r3

    Description
    ===========

    A vulnerability have been discovered in GNU Tar. Please review the CVE identifier referenced below for details.

    Impact
    ======

    GNU Tar has a one-byte out-of-bounds read that results in use of
    uninitialized memory for a conditional jump. Exploitation to change the
    flow of control has not been demonstrated. The issue occurs via a V7
    archive in which mtime has approximately 11 whitespace characters.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All GNU Tar users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-arch/tar-1.34-r3"

    References
    ==========

    [ 1 ] CVE-2022-48303
    https://nvd.nist.gov/vuln/detail/CVE-2022-48303

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202402-12

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmXRr7sACgkQFMQkOaVy +9nnrRAAwDFA0gjGOmNEUBN7X7OjRA98QPFOYcamHz5N33waraPPolLfnOIG3GSb ZRLK8Ip+tjdQeldzBs7NGgk6VmoabolbKyGByfFVXMQc+i+paOgQGzGAqXoQn/po a7UakLDax/OLp0gbyslBK7SkspLuPUh7lBgJqY3XLZyMsWkVJ3gwhEW+U5ws3Nqg ulMvQY337SvwTgjyc8oNb25bGBwDcMMSjq+jJV/SLEqsQCTLI5B6KUB0lP6mdtqi bv60d31BXWzHTbsooNGk8imBMr5WE7xb+cNp1+jPTyDzkHx64EnXdSNHPzpanys9 B9CjS5t4MjdmHo9tbJ5PJ7GMHdpkOVnBfwjjgavA8q44cXl0T6CXB+j/fO4X0z3G A+UNJyIqx+DulRlXR4GoNfvCoTS7gbGXjDcjTMPsTefMaNC6cGEgOQiIdHkE+42H BDvXSa6K3UoGfDXQ8jIs6aKPlolC4seT/c1T82FTdbF2vyZBjmO91nSuLyFPDeXZ A/0odnirR0bIlegrZzeXynGrxsr8hvo5SIYgkp1YuDjHICcaEkwQyZOw9FHadGJ1 s8HbTTOqQIcqmHMGYMYwp5o2E6lNiRFiZG9W44ptINZNxFdctfmoFL2Vff8Bt318 0nupkDReYFr8Y1GDOxIJ2lygIRfkAsCWJq9/ymrJhXFCjqi92SA=
    =C4vz
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)