| Summary: | tar new security issue CVE-2022-48303 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, ghibomgx, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | tar-1.33-2.1.mga8.src.rpm | CVE: | CVE-2022-48303 |
| Status comment: | |||
|
Description
David Walser
2023-02-17 17:19:58 CET
David Walser
2023-02-17 17:20:10 CET
Whiteboard:
(none) =>
MGA8TOO Assigning globally because tar does not have an obvious packager; but CC'ing Giuseppe who has done some things to it recently. Assignee:
bugsquad =>
pkg-bugs openSUSE has issued an advisory for this on February 20: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EMCL5SDDZC2JTGVOT5D2T56IWCRICHJD/ RedHat has issued an advisory for this on February 21: https://access.redhat.com/errata/RHSA-2023:0842 Suggested advisory: ======================== The updated package fixes a security vulnerability: GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. (CVE-2022-48303) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48303 https://lists.suse.com/pipermail/sle-security-updates/2023-February/013834.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EMCL5SDDZC2JTGVOT5D2T56IWCRICHJD/ https://access.redhat.com/errata/RHSA-2023:0842 ======================== Updated package in core/updates_testing: ======================== tar-1.33-2.2.mga8 from SRPM: tar-1.33-2.2.mga8.src.rpm Whiteboard:
MGA8TOO =>
(none) No installation issues. Created an archive of photos of a special shape hot air balloon that I have crewed for, named Beagle Maximus. Used the verbose option just to show what was happening. $ tar -cvf beagle.tar.gz Pictures/Beagle/ Pictures/Beagle/ Pictures/Beagle/beagle maximus.jpg Pictures/Beagle/Beagle Max circle.jpg Pictures/Beagle/p4230003.jpg Pictures/Beagle/Beagle Max.jpg Pictures/Beagle/421420429_e7527be223_o.jpg Pictures/Beagle/beagle poster.pdf Pictures/Beagle/beagle Poster.pdf Pictures/Beagle/p4230001.jpg Pictures/Beagle/p4230002.jpg Pictures/Beagle/1171314392_01b8be2c13_b.jpg Pictures/Beagle/beagle oval a.jpg Pictures/Beagle/Beagle Max3.jpg Pictures/Beagle/Beagle Max2.jpg Pictures/Beagle/Beagle Max2A.xcf Pictures/Beagle/beagle maximus2.jpg Pictures/Beagle/Beagle Max2b.jpg Pictures/Beagle/Beagle Poster 2.pdf Pictures/Beagle/p4230004.jpg Pictures/Beagle/Beagle Max2A.png Pictures/Beagle/beagle maximus3.jpg Pictures/Beagle/p4230005.jpg Pictures/Beagle/Beagle Max4.jpg Moved the archive to another folder, and extracted it with ARK. All photos looked identical to the originals. Giving this an OK, and validating. Advisory in comment 4. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-03-01 19:05:35 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0079.html Resolution:
(none) =>
FIXED |