Bug 30821

Summary: libtar new security issues CVE-2021-3364[3-6]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libtar-1.2.20-9.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-09-06 21:31:01 CEST 
Fedora has issued an advisory on September 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/

Mageia 8 is also affected.
David Walser 2022-09-06 21:31:15 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Fedora

Comment 1 Marja Van Waes 2022-09-06 21:34:54 CEST 
No registered maintainer, assigning to all packagers collectively

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2022-09-07 10:27:19 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read. (CVE-2021-33643)

An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read. (CVE-2021-33644)

The th_read() function doesn't free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak. (CVE-2021-33645)

The th_read() function doesn't free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak. (CVE-2021-33646)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33646
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/
========================

Updated packages in core/updates_testing:
========================
lib(64)tar0-1.2.20-9.1.mga8
lib(64)tar-devel-1.2.20-9.1.mga8
libtar-1.2.20-9.1.mga8

from SRPM:
libtar-1.2.20-9.1.mga8.src.rpm

Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Status comment: Patches available from Fedora => (none)
Source RPM: libtar-1.2.20-10.mga9.src.rpm => libtar-1.2.20-9.mga8.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2022-09-15 14:06:50 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Followed example in bug 11424 Comment 10
$ cd libtartest/
$ echo "test test test" >test.txt
$ libtar -c tartest.tar test.txt
$ rm -f test.txt
$ libtar -x tartest.tar
$ cat test.txt 
test test test
Works OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-09-16 02:48:29 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-09-16 20:00:25 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-09-16 21:41:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0335.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED