tar is vulnerable to CVE-2021-20193

OpenSubmitted by Léo Le Bouter.
Details
2 participants
  • Léo Le Bouter
  • Maxime Devos
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 26 Mar 22:30 +0100
(address . bug-guix@gnu.org)
520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net
CVE-2021-20193 18:15A flaw was found in the src/list.c of tar 1.33 and earlier. This flawallows an attacker who can submit a crafted input file to tar to causeuncontrolled consumption of memory. The highest threat from thisvulnerability is to system availability.
Patch available here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
Unreleased for now.
We can probably apply it in core-updates now, we should fix it inmaster also, since grafts don't apply to GNU Guix builds is that OK?
GNU Guix packages don't unpack arbitrary tarballs since we hardcodehashes for verification, but still.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeUpEACgkQRaix6GvNEKaWrA//Y2BwKy6QO9/cWqwZRS7BEPianKnio3VqzdGkgCuRi+9GYlyHVeK9wSgC/TZWz1xB/6pqLJFlH6dKNr9cmEjxVFJRGRNRyfvHgtHwzf/5/mYmcYYHA4d2Ccl49+UU1NZCRZSZkjFrVMGZ682HIUe5CQ3MzOVWxbaSdo1jecFnk/pHkDqWr8tJKCFLvo9OHLmhHVHZcExStWJXDM37iSyHw+XAumzURci/sDZy7lxmh6QhtRPjnKaKDaI6+ppWjaY8kDHWnbRRm5sdMsKNXXeGEbx10ATfay5v3PWqZoi63nGF1NVgBmM57gE1L8dwBJtt8apzKOdiulc77Wrc8isdWhp/qE9078gKQdOnBBiG8cdzbnMuxrTBnL12afDOkfH25IJ+Uv2c4ZQdg/O6J9bqIj/Fw5yIIIbCviHil3mV4A2LczBOD3rOol5FD5JkrHJ/Nx7lbPviyt/fEye4sqBaiy8PlZxvLmp02WrDXTUEaxCTE1Q8Jga94/TkjneMtuXRa1ivj81GP81bs31C36+cz+aCBcsz0Xp2MCPHOv43BwxLwvAMxvq/nQdZAZNAYsUCSEaxklhjrl4kGwXteBf/qMgDp5iYBmdGhS+vMggapgXZqfbkJ04kq2nyJaYZ+i3iPdzRxFYyTG7L3vzkBuY5E519NrNO8rSiYjlUCjCnICs==e+Y2-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 26 Mar 22:35 +0100
(address . control@debbugs.gnu.org)
2559cf953da6495f033378d37af686c1d23b43b5.camel@zaclys.net
tags 47422 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeU4kACgkQRaix6GvNEKb1Dw/+MbT5YX4nxe3fa6/q9raZyCDdTbTGsdeqFq7qVPreVgZ3cp/0ABjyRHWywWhsRoJbdd05ggoT+xwVrUN1t7UZ1KOrq6/fmfY7ARTiWvjWeIQj4w9iCIUeLid4jj8QMn6AVkQE2xVbNZGp7OszNAhroG4RhHW/IJ+IXrBCq2Abo+QT+F92JJWQzyp7sUS/EG0+ZtdL2gsBDZDlTdPcKK5qulTdJPv3ye+AU0l3oQPoA9FUGrANudCNp+Rf4jvS17J+Vb6QOr/Aa6MnDA3AVVHpvXbnymJHrwshhqQ81lsR8ol4zq/tqArCWU/V6bb1G7+Ze8dQtacdtX0F84k1GmxgWn0LtX0oPaEBboPfyzY30FRD8XawuZmcvOKuUO6NAQIviwtnyI6Pdm3Fx0e4U1HSNjHswJ94NPXmKa0lzkOyv+SVFvTJDqeqkp/sBUTqDZvm9tvw7kg/8vskvutcIvRdMDOkF3qZRsv6nTaxc63LSa0fGFJ7nV0o8Dg7piLcD2MjAV3BZ6iF1dpqpMdOI5x0POTPWD67IAV7s5SrDSmGugyCZ8H5fn5VRVV11sbMbEgiPbnQGuQjPgPuAN32bN3Y+SpAe65KT2C2LKetyuV/sR2fHfO+dtXc2NBjU4G/LEoyd001AmMbPEbDiq57S9HpbzLNeIDYPUz6L7QimHPX02E==NG29-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 26 Mar 23:40 +0100
1bc26f41f7a30bb04777b5a654acddbcfc3ea54c.camel@telenet.be
On Fri, 2021-03-26 at 22:30 +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (12 lines)> CVE-2021-20193 18:15
> A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw> allows an attacker who can submit a crafted input file to tar to cause> uncontrolled consumption of memory. The highest threat from this> vulnerability is to system availability.> > Patch available here: > https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777> > Unreleased for now.
There has been a 1.34 release (a git tag is missing, but seehttps://git.savannah.gnu.org/cgit/tar.git/log/‘maint: 1.34 announcement update’).
Toggle quote (2 lines)> We can probably apply it in core-updates now,
Toggle quote (2 lines)> we should fix it in master also, since grafts don't apply to GNU Guix builds is that OK?
Technically, there won't be any trouble (except increased time spent grafting I guess),but ...
Toggle quote (3 lines)> GNU Guix packages don't unpack arbitrary tarballs since we hardcode> hashes for verification, but still
It's ‘merely’ a denial-of-service attack. Perhaps relevant to Software Heritagethough (idk if they use Guix). So no big rush, but still nice to fix.
Thanks for looking at this (& other potential security issues),Greetings, Maxime.
-----BEGIN PGP SIGNATURE-----
iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF5iwRccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7r/eAQDyc6qat9RI4aaTAOy5C3e28f/c/TqfotO3J0egywhzXQD9Fykp3dvj/EiKCGagipnNiJt5zT0TzPr4MsLBVlkqVA8==jYVF-----END PGP SIGNATURE-----

?