Bug 24117

Summary:	tar new security issue CVE-2018-20482
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	herman.viaene, lewyssmith, marja11, smelror, sysadmin-bugs
Version:	6	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA6-32-OK
Source RPM:	tar-1.30-3.mga7.src.rpm	CVE:
Status comment:

Description David Walser 2019-01-03 03:17:53 CET

Tar 1.31 has been released, fixing a security issue in the following commit:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454

and another possible security issue here:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=b531801d6f49d64a126720e6004aae7c800764b2

It didn't build due to a testsuite failure:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190102233602.kekepower.duvel.25137/log/tar-1.31-1.mga7/build.0.20190102233705.log

but hopefully a fix will show up upstream:
https://www.mail-archive.com/bug-tar@gnu.org/
http://git.savannah.gnu.org/cgit/tar.git

Mageia 6 may also be affected.

David Walser 2019-01-03 03:18:02 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-03 21:28:27 CET

Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

David Walser 2019-01-04 00:32:56 CET

CC: (none) => smelror

Comment 2 Stig-Ørjan Smelror 2019-01-04 00:55:04 CET

Advisory
========

GNU tar has been updated to fix CVE-2018-20482.

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c)
by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

References
==========

https://lists.gnu.org/archive/html/bug-tar/2019-01/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2018-20482

Files
=====

tar-1.31-1.mga6

from tar-1.31-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: shlomif => qa-bugs
Version: Cauldron => 6

Comment 3 Stig-Ørjan Smelror 2019-01-04 00:55:23 CET

GNU tar 1.31 has also been pushed to Cauldron

Comment 4 Herman Viaene 2019-01-11 10:07:46 CET

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref bug 19696 for tests, so
testing existing file
$ tar -tvf /mnt/Documents/kursussen.tar.gz 
drwxrwxr-x herman/herman     0 2007-04-18 09:30 kursussen/
-rw-r--r-- herman/herman   931 2007-03-05 11:01 kursussen/cut.jpg
-rw-rw-r-- herman/herman 2036968 2007-03-30 18:07 kursussen/text.odt
-rw-rw-r-- herman/herman   21880 2007-03-05 15:07 kursussen/findreplace.jpg
and a lot more, all OK
Making and extracting new tar file
$ cd Documenten/
$ tar -cf bugtest.tar apachemodper.txt dcraw.txt 
Copy tar file to tmp
$ cd ../tmp/
$ tar -xf bugtest.tar
$ ls
apachemodper.txt  bugtest.tar  dcraw.txt
All OK to me

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Lewis Smith 2019-01-11 20:03:19 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2019-01-11 22:09:18 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0034.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED