24117 – tar new security issue CVE-2018-20482

Bug 24117 - tar new security issue CVE-2018-20482

Summary: tar new security issue CVE-2018-20482

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-01-03 03:17 CET by David Walser
Modified:	2019-01-11 22:09 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	tar-1.30-3.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-01-03 03:17:53 CET

Tar 1.31 has been released, fixing a security issue in the following commit:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454

and another possible security issue here:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=b531801d6f49d64a126720e6004aae7c800764b2

It didn't build due to a testsuite failure:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190102233602.kekepower.duvel.25137/log/tar-1.31-1.mga7/build.0.20190102233705.log

but hopefully a fix will show up upstream:
https://www.mail-archive.com/bug-tar@gnu.org/
http://git.savannah.gnu.org/cgit/tar.git

Mageia 6 may also be affected.

David Walser 2019-01-03 03:18:02 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-03 21:28:27 CET

Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

David Walser 2019-01-04 00:32:56 CET

CC: (none) => smelror

Comment 2 Stig-Ørjan Smelror 2019-01-04 00:55:04 CET

Advisory
========

GNU tar has been updated to fix CVE-2018-20482.

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c)
by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

References
==========

https://lists.gnu.org/archive/html/bug-tar/2019-01/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2018-20482

Files
=====

tar-1.31-1.mga6

from tar-1.31-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: shlomif => qa-bugs
Version: Cauldron => 6

Comment 3 Stig-Ørjan Smelror 2019-01-04 00:55:23 CET

GNU tar 1.31 has also been pushed to Cauldron

Comment 4 Herman Viaene 2019-01-11 10:07:46 CET

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref bug 19696 for tests, so
testing existing file
$ tar -tvf /mnt/Documents/kursussen.tar.gz 
drwxrwxr-x herman/herman     0 2007-04-18 09:30 kursussen/
-rw-r--r-- herman/herman   931 2007-03-05 11:01 kursussen/cut.jpg
-rw-rw-r-- herman/herman 2036968 2007-03-30 18:07 kursussen/text.odt
-rw-rw-r-- herman/herman   21880 2007-03-05 15:07 kursussen/findreplace.jpg
and a lot more, all OK
Making and extracting new tar file
$ cd Documenten/
$ tar -cf bugtest.tar apachemodper.txt dcraw.txt 
Copy tar file to tmp
$ cd ../tmp/
$ tar -xf bugtest.tar
$ ls
apachemodper.txt  bugtest.tar  dcraw.txt
All OK to me

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Lewis Smith 2019-01-11 20:03:19 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2019-01-11 22:09:18 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0034.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.