30821 – libtar new security issues CVE-2021-3364[3-6]

Bug 30821 - libtar new security issues CVE-2021-3364[3-6]

Summary: libtar new security issues CVE-2021-3364[3-6]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-09-06 21:31 CEST by David Walser
Modified:	2022-09-16 21:41 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	libtar-1.2.20-9.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-06 21:31:01 CEST

Fedora has issued an advisory on September 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/

Mageia 8 is also affected.

David Walser 2022-09-06 21:31:15 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Fedora

Comment 1 Marja Van Waes 2022-09-06 21:34:54 CEST

No registered maintainer, assigning to all packagers collectively

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2022-09-07 10:27:19 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read. (CVE-2021-33643)

An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read. (CVE-2021-33644)

The th_read() function doesn't free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak. (CVE-2021-33645)

The th_read() function doesn't free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak. (CVE-2021-33646)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33646
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/
========================

Updated packages in core/updates_testing:
========================
lib(64)tar0-1.2.20-9.1.mga8
lib(64)tar-devel-1.2.20-9.1.mga8
libtar-1.2.20-9.1.mga8

from SRPM:
libtar-1.2.20-9.1.mga8.src.rpm

Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Status comment: Patches available from Fedora => (none)
Source RPM: libtar-1.2.20-10.mga9.src.rpm => libtar-1.2.20-9.mga8.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2022-09-15 14:06:50 CEST

MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Followed example in bug 11424 Comment 10
$ cd libtartest/
$ echo "test test test" >test.txt
$ libtar -c tartest.tar test.txt
$ rm -f test.txt
$ libtar -x tartest.tar
$ cat test.txt 
test test test
Works OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-09-16 02:48:29 CEST

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-09-16 20:00:25 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-09-16 21:41:50 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0335.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.