openSUSE has issued an advisory on April 2: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XRDSUUE3LUKBDRLPB7GTT5QZRPV5J7O4/ Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOO
cauldron is already fixed
Version: Cauldron => 8CC: (none) => mageiaWhiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Fixed in mga 7/8 src: - tar-1.32-1.1.mga7 - tar-1.33-2.1.mga8
Assignee: bugsquad => qa-bugs
mga8, x64 CVE-2021-20193 https://bugzilla.redhat.com/show_bug.cgi?id=1917565 $ valgrind tar tf 1311745-out-bounds.tar ==54829== Memcheck, a memory error detector ==54829== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==54829== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==54829== Command: tar tf 1311745-out-bounds.tar ==54829== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors Updated the tar package. installing tar-1.33-2.1.mga8..... $ tar xf 1311745-out-bounds.tar tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors The PoC tests agree before and after updating so maybe the package had already been patched. Used tar to extract all files from a 5GB tarfile. OK. $ tar cf mp4.tar *.mp4 $ ll mp4.tar -rw-r--r-- 1 lcl lcl 356792320 Jun 2 10:45 mp4.tar $ tar cf sub.tar MichaelPraetorius_* Extract a particular file: $ cp mp4.tar dev/ $ cd dev $ tar --get -f mp4.tar HeinrichBiber......mp4 $ ls HeinrichBiber-SonataIVinCMajorforTrumpetandStrings.mp4 mp4.tar sub.tar $ tar --extract --wildcards -f vom.tar *.mkv Creates a subdirectory VoicesOfMusic :- $ ls VoicesOfMusic/ AirOnTheGString_Suite_3_BWV1068_JSBach.mkv AndreaFalconieri_FoliasLaFolia.mkv AntonioVivaldi_LaFolliaLaFolia.mkv Corelli_ConcertoinDMajorOpus6_4.mkv ..... There are many dozens of options for tar. As far as these tests go tar seems to be working fine.
CC: (none) => tarazed25Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
Installed and tested without issues. Tested: - Testing existing tar balls (find -ipath '*.tar.*' -exec tar tvf '{}' ';'); - Listing content; - Extracting existing tar balls; - Creating tar ball; - Appending to tar ball; - Diff between tar ball and filesystem; System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.41-desktop-1.mga7 #1 SMP Fri May 28 14:28:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q tar tar-1.32-1.1.mga7
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OKCC: (none) => mageia
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory: ======================== Updated tar package fixes a security vulnerability: A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability (CVE-2021-20193). References: - https://bugs.mageia.org/show_bug.cgi?id=29049 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20193 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XRDSUUE3LUKBDRLPB7GTT5QZRPV5J7O4/ ======================== Updated package in 7/core/updates_testing: ======================== tar-1.32-1.1.mga7 from SRPM: tar-1.32-1.1.mga7.src.rpm ======================== Updated package in 8/core/updates_testing: ======================== tar-1.33-2.1.mga8 from SRPM: tar-1.33-2.1.mga8.src.rpm
CC: (none) => ouaurelienKeywords: (none) => advisoryCVE: (none) => CVE-2021-20193
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0233.html
Status: NEW => RESOLVEDResolution: (none) => FIXED