bug#47422: closed (tar is vulnerable to CVE-2021-20193)

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47422: closed (tar is vulnerable to CVE-2021-20193)

From:	GNU bug Tracking System
Subject:	bug#47422: closed (tar is vulnerable to CVE-2021-20193)
Date:	Fri, 12 Nov 2021 07:56:01 +0000

Your message dated Fri, 12 Nov 2021 02:54:24 -0500
with message-id <87h7ch24hg.fsf@netris.org>
and subject line Re: bug#47422: tar is vulnerable to CVE-2021-20193
has caused the debbugs.gnu.org bug report #47422,
regarding tar is vulnerable to CVE-2021-20193
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
47422: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47422
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: tar is vulnerable to CVE-2021-20193 Date: Fri, 26 Mar 2021 22:30:57 +0100 User-agent: Evolution 3.34.2

CVE-2021-20193  18:15
A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw
allows an attacker who can submit a crafted input file to tar to cause
uncontrolled consumption of memory. The highest threat from this
vulnerability is to system availability.

Patch available here: 
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777

Unreleased for now.

We can probably apply it in core-updates now, we should fix it in
master also, since grafts don't apply to GNU Guix builds is that OK?

GNU Guix packages don't unpack arbitrary tarballs since we hardcode
hashes for verification, but still.

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message --- Subject: Re: bug#47422: tar is vulnerable to CVE-2021-20193 Date: Fri, 12 Nov 2021 02:54:24 -0500

Six days ago, I wrote:

> Here's a proposed fix, which I've tested on my own system.
> Are there any objections to pushing this to 'master'?

I've now pushed this to 'master', commit
33a80e111096b05af3d60576dfcb2d67099dc60e.
I'm closing this bug now.

     Thanks!
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47422: closed (tar is vulnerable to CVE-2021-20193), GNU bug Tracking System <=

Prev by Date: Processed: control message for bug #51762
Next by Date: Processed: control message for bug #51690
Previous by thread: Processed: control message for bug #51762
Next by thread: Processed: control message for bug #51690
Index(es):
- Date
- Thread