--- Begin Message ---
Subject: |
tar is vulnerable to CVE-2021-20193 |
Date: |
Fri, 26 Mar 2021 22:30:57 +0100 |
User-agent: |
Evolution 3.34.2 |
CVE-2021-20193 18:15
A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw
allows an attacker who can submit a crafted input file to tar to cause
uncontrolled consumption of memory. The highest threat from this
vulnerability is to system availability.
Patch available here:
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
Unreleased for now.
We can probably apply it in core-updates now, we should fix it in
master also, since grafts don't apply to GNU Guix builds is that OK?
GNU Guix packages don't unpack arbitrary tarballs since we hardcode
hashes for verification, but still.
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#47422: tar is vulnerable to CVE-2021-20193 |
Date: |
Fri, 12 Nov 2021 02:54:24 -0500 |
Six days ago, I wrote:
> Here's a proposed fix, which I've tested on my own system.
> Are there any objections to pushing this to 'master'?
I've now pushed this to 'master', commit
33a80e111096b05af3d60576dfcb2d67099dc60e.
I'm closing this bug now.
Thanks!
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
--- End Message ---