Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Mageia 8: 2022-0335 Critical: Out-Of-Bounds Access in Libtar

mageia
Calendar Grey September 16, 2022
Dist Mageia Esm H88
The recent libtar updates for Mageia address several vulnerabilities such as boundary violations and memory management flaws.
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds r...

Summary

An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read. (CVE-2021-33643)
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read. (CVE-2021-33644)
The th_read() function doesn't free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak. (CVE-2021-33645)
The th_read() function doesn't free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak. (CVE-2021-33646)

References

- https://bugs.mageia.org/show_bug.cgi?id=30821

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/

- https://www.cve.org/CVERecord?id=CVE-2021-33643

- https://www.cve.org/CVERecord?id=CVE-2021-33644

- https://www.cve.org/CVERecord?id=CVE-2021-33645

- https://www.cve.org/CVERecord?id=CVE-2021-33646

Resolution

SRPMS

- 8/core/libtar-1.2.20-9.1.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 16 Sep 2022
URL: https://advisories.mageia.org/MGASA-2022-0335.html
Type: security
CVE: CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.