| Summary: | tar new security issue CVE-2021-20193 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA8-64-OK MGA7-64-OK | ||
| Source RPM: | tar-1.34-1.mga9.src.rpm | CVE: | CVE-2021-20193 |
| Status comment: | |||
|
Description
David Walser
2021-05-30 23:24:20 CEST
David Walser
2021-05-30 23:24:27 CEST
Whiteboard:
(none) =>
MGA8TOO, MGA7TOO cauldron is already fixed Version:
Cauldron =>
8 Fixed in mga 7/8
src:
- tar-1.32-1.1.mga7
- tar-1.33-2.1.mga8Assignee:
bugsquad =>
qa-bugs mga8, x64 CVE-2021-20193 https://bugzilla.redhat.com/show_bug.cgi?id=1917565 $ valgrind tar tf 1311745-out-bounds.tar ==54829== Memcheck, a memory error detector ==54829== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==54829== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==54829== Command: tar tf 1311745-out-bounds.tar ==54829== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors Updated the tar package. installing tar-1.33-2.1.mga8..... $ tar xf 1311745-out-bounds.tar tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors The PoC tests agree before and after updating so maybe the package had already been patched. Used tar to extract all files from a 5GB tarfile. OK. $ tar cf mp4.tar *.mp4 $ ll mp4.tar -rw-r--r-- 1 lcl lcl 356792320 Jun 2 10:45 mp4.tar $ tar cf sub.tar MichaelPraetorius_* Extract a particular file: $ cp mp4.tar dev/ $ cd dev $ tar --get -f mp4.tar HeinrichBiber......mp4 $ ls HeinrichBiber-SonataIVinCMajorforTrumpetandStrings.mp4 mp4.tar sub.tar $ tar --extract --wildcards -f vom.tar *.mkv Creates a subdirectory VoicesOfMusic :- $ ls VoicesOfMusic/ AirOnTheGString_Suite_3_BWV1068_JSBach.mkv AndreaFalconieri_FoliasLaFolia.mkv AntonioVivaldi_LaFolliaLaFolia.mkv Corelli_ConcertoinDMajorOpus6_4.mkv ..... There are many dozens of options for tar. As far as these tests go tar seems to be working fine. CC:
(none) =>
tarazed25 Installed and tested without issues.
Tested:
- Testing existing tar balls (find -ipath '*.tar.*' -exec tar tvf '{}' ';');
- Listing content;
- Extracting existing tar balls;
- Creating tar ball;
- Appending to tar ball;
- Diff between tar ball and filesystem;
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.10.41-desktop-1.mga7 #1 SMP Fri May 28 14:28:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q tar
tar-1.32-1.1.mga7Whiteboard:
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA8-64-OK MGA7-64-OK Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs Advisory: ======================== Updated tar package fixes a security vulnerability: A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability (CVE-2021-20193). References: - https://bugs.mageia.org/show_bug.cgi?id=29049 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20193 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XRDSUUE3LUKBDRLPB7GTT5QZRPV5J7O4/ ======================== Updated package in 7/core/updates_testing: ======================== tar-1.32-1.1.mga7 from SRPM: tar-1.32-1.1.mga7.src.rpm ======================== Updated package in 8/core/updates_testing: ======================== tar-1.33-2.1.mga8 from SRPM: tar-1.33-2.1.mga8.src.rpm CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0233.html Status:
NEW =>
RESOLVED |