SUSE has issued an advisory today (February 17): https://lists.suse.com/pipermail/sle-security-updates/2023-February/013834.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Assigning globally because tar does not have an obvious packager; but CC'ing Giuseppe who has done some things to it recently.
Assignee: bugsquad => pkg-bugsCC: (none) => ghibomgx
openSUSE has issued an advisory for this on February 20: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EMCL5SDDZC2JTGVOT5D2T56IWCRICHJD/
RedHat has issued an advisory for this on February 21: https://access.redhat.com/errata/RHSA-2023:0842
Suggested advisory: ======================== The updated package fixes a security vulnerability: GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. (CVE-2022-48303) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48303 https://lists.suse.com/pipermail/sle-security-updates/2023-February/013834.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EMCL5SDDZC2JTGVOT5D2T56IWCRICHJD/ https://access.redhat.com/errata/RHSA-2023:0842 ======================== Updated package in core/updates_testing: ======================== tar-1.33-2.2.mga8 from SRPM: tar-1.33-2.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Assignee: pkg-bugs => qa-bugsSource RPM: tar-1.34-4.mga9.src.rpm => tar-1.33-2.1.mga8.src.rpmCC: (none) => nicolas.salgueroVersion: Cauldron => 8CVE: (none) => CVE-2022-48303Status: NEW => ASSIGNED
No installation issues. Created an archive of photos of a special shape hot air balloon that I have crewed for, named Beagle Maximus. Used the verbose option just to show what was happening. $ tar -cvf beagle.tar.gz Pictures/Beagle/ Pictures/Beagle/ Pictures/Beagle/beagle maximus.jpg Pictures/Beagle/Beagle Max circle.jpg Pictures/Beagle/p4230003.jpg Pictures/Beagle/Beagle Max.jpg Pictures/Beagle/421420429_e7527be223_o.jpg Pictures/Beagle/beagle poster.pdf Pictures/Beagle/beagle Poster.pdf Pictures/Beagle/p4230001.jpg Pictures/Beagle/p4230002.jpg Pictures/Beagle/1171314392_01b8be2c13_b.jpg Pictures/Beagle/beagle oval a.jpg Pictures/Beagle/Beagle Max3.jpg Pictures/Beagle/Beagle Max2.jpg Pictures/Beagle/Beagle Max2A.xcf Pictures/Beagle/beagle maximus2.jpg Pictures/Beagle/Beagle Max2b.jpg Pictures/Beagle/Beagle Poster 2.pdf Pictures/Beagle/p4230004.jpg Pictures/Beagle/Beagle Max2A.png Pictures/Beagle/beagle maximus3.jpg Pictures/Beagle/p4230005.jpg Pictures/Beagle/Beagle Max4.jpg Moved the archive to another folder, and extracted it with ARK. All photos looked identical to the originals. Giving this an OK, and validating. Advisory in comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0079.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED