Tar 1.31 has been released, fixing a security issue in the following commit: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454 and another possible security issue here: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=b531801d6f49d64a126720e6004aae7c800764b2 It didn't build due to a testsuite failure: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190102233602.kekepower.duvel.25137/log/tar-1.31-1.mga7/build.0.20190102233705.log but hopefully a fix will show up upstream: https://www.mail-archive.com/bug-tar@gnu.org/ http://git.savannah.gnu.org/cgit/tar.git Mageia 6 may also be affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
CC: (none) => smelror
Advisory ======== GNU tar has been updated to fix CVE-2018-20482. GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root). References ========== https://lists.gnu.org/archive/html/bug-tar/2019-01/msg00000.html https://nvd.nist.gov/vuln/detail/CVE-2018-20482 Files ===== tar-1.31-1.mga6 from tar-1.31-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: shlomif => qa-bugsVersion: Cauldron => 6
GNU tar 1.31 has also been pushed to Cauldron
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref bug 19696 for tests, so testing existing file $ tar -tvf /mnt/Documents/kursussen.tar.gz drwxrwxr-x herman/herman 0 2007-04-18 09:30 kursussen/ -rw-r--r-- herman/herman 931 2007-03-05 11:01 kursussen/cut.jpg -rw-rw-r-- herman/herman 2036968 2007-03-30 18:07 kursussen/text.odt -rw-rw-r-- herman/herman 21880 2007-03-05 15:07 kursussen/findreplace.jpg and a lot more, all OK Making and extracting new tar file $ cd Documenten/ $ tar -cf bugtest.tar apachemodper.txt dcraw.txt Copy tar file to tmp $ cd ../tmp/ $ tar -xf bugtest.tar $ ls apachemodper.txt bugtest.tar dcraw.txt All OK to me
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0034.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED