Fedora has issued an advisory on September 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patches available from Fedora
No registered maintainer, assigning to all packagers collectively
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read. (CVE-2021-33643) An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read. (CVE-2021-33644) The th_read() function doesn't free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak. (CVE-2021-33645) The th_read() function doesn't free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak. (CVE-2021-33646) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33643 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33644 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33645 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33646 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tar0-1.2.20-9.1.mga8 lib(64)tar-devel-1.2.20-9.1.mga8 libtar-1.2.20-9.1.mga8 from SRPM: libtar-1.2.20-9.1.mga8.src.rpm
Version: Cauldron => 8Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patches available from Fedora => (none)Source RPM: libtar-1.2.20-10.mga9.src.rpm => libtar-1.2.20-9.mga8.src.rpmCC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => (none)
MGA8-64 Plasma on Acer Aspire 5253 No installation issues Followed example in bug 11424 Comment 10 $ cd libtartest/ $ echo "test test test" >test.txt $ libtar -c tartest.tar test.txt $ rm -f test.txt $ libtar -x tartest.tar $ cat test.txt test test test Works OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0335.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED