[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47422: tar is vulnerable to CVE-2021-20193
|
From: |
Maxime Devos |
|
Subject: |
bug#47422: tar is vulnerable to CVE-2021-20193 |
|
Date: |
Fri, 26 Mar 2021 23:40:01 +0100 |
|
User-agent: |
Evolution 3.34.2 |
On Fri, 2021-03-26 at 22:30 +0100, Léo Le Bouter via Bug reports for GNU Guix
wrote:
> CVE-2021-20193 18:15
> A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw
> allows an attacker who can submit a crafted input file to tar to cause
> uncontrolled consumption of memory. The highest threat from this
> vulnerability is to system availability.
>
> Patch available here:
> https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
>
> Unreleased for now.
There has been a 1.34 release (a git tag is missing, but see
https://git.savannah.gnu.org/cgit/tar.git/log/ ‘maint: 1.34 announcement
update’).
> We can probably apply it in core-updates now,
That's done already
(https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/base.scm?id=core-updates#n178)
> we should fix it in master also, since grafts don't apply to GNU Guix builds
> is that OK?
Technically, there won't be any trouble (except increased time spent grafting I
guess),
but ...
> GNU Guix packages don't unpack arbitrary tarballs since we hardcode
> hashes for verification, but still
It's ‘merely’ a denial-of-service attack. Perhaps relevant to Software Heritage
though (idk if they use Guix). So no big rush, but still nice to fix.
Thanks for looking at this (& other potential security issues),
Greetings, Maxime.
signature.asc
Description: This is a digitally signed message part