Bug 31337 - libtar new security issue CVE-2021-33640
Summary: libtar new security issue CVE-2021-33640
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-28 18:00 CET by David Walser
Modified: 2022-12-30 23:40 CET (History)
5 users (show)

See Also:
Source RPM: libtar-1.2.20-9.1.mga8.src.rpm
CVE: CVE-2021-33640
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-12-28 18:00:22 CET 
Fedora has issued an advisory today (December 28):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/

Mageia 8 is also affected.
David Walser 2022-12-28 18:00:41 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Fedora

David Walser 2022-12-28 18:00:58 CET

CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2022-12-29 09:22:12 CET 
Assigning gobally as libtar has no evident maintainer.
NicolasS (who did last CVE update) is already CC'd.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-12-29 14:37:30 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

After tar_close(), libtar.c releases the memory pointed to by pointer t. After tar_close() is called in the list() function, it continues to use pointer t: free_longlink_longname(t->th_buf) . As a result, the released memory is used (use-after-free). (CVE-2021-33640)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33640
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/
========================

Updated packages in core/updates_testing:
========================
libtar-1.2.20-9.2.mga8
lib(64)tar0-1.2.20-9.2.mga8
lib(64)tar-devel-1.2.20-9.2.mga8

from SRPM:
libtar-1.2.20-9.2.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-33640
Whiteboard: MGA8TOO => (none)
Source RPM: libtar-1.2.20-11.mga9.src.rpm => libtar-1.2.20-9.1.mga8.src.rpm
Status comment: Patch available from Fedora => (none)

Comment 3 Herman Viaene 2022-12-30 11:39:20 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Re-using the test files from bug 30821.
$ cd libtartest/
$ libtar -c tartest.tar test.txt
$ rm -f test.txt
$ libtar -x tartest.tar
$ cat test.txt
test test test

So testing is OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-12-30 14:37:12 CET 
Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-12-30 21:45:26 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-12-30 23:40:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0488.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.