bug#47422: tar is vulnerable to CVE-2021-20193

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47422: tar is vulnerable to CVE-2021-20193

From:	Léo Le Bouter
Subject:	bug#47422: tar is vulnerable to CVE-2021-20193
Date:	Fri, 26 Mar 2021 22:30:57 +0100
User-agent:	Evolution 3.34.2

CVE-2021-20193  18:15
A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw
allows an attacker who can submit a crafted input file to tar to cause
uncontrolled consumption of memory. The highest threat from this
vulnerability is to system availability.

Patch available here: 
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777

Unreleased for now.

We can probably apply it in core-updates now, we should fix it in
master also, since grafts don't apply to GNU Guix builds is that OK?

GNU Guix packages don't unpack arbitrary tarballs since we hardcode
hashes for verification, but still.

signature.asc
Description: This is a digitally signed message part

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47422: tar is vulnerable to CVE-2021-20193, Léo Le Bouter <=
- bug#47422: tar is vulnerable to CVE-2021-20193, Maxime Devos, 2021/03/26

Prev by Date: bug#47325: newlib-nano: are lib names wrong?
Next by Date: bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others)
Previous by thread: bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others)
Next by thread: bug#47422: tar is vulnerable to CVE-2021-20193
Index(es):
- Date
- Thread