GNU bug report logs

#47422 tar is vulnerable to CVE-2021-20193

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #10 received at 47422@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47422) by debbugs.gnu.org; 26 Mar 2021 22:40:11 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 18:40:11 2021
Received: from localhost ([127.0.0.1]:42802 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lPv7i-0000zT-V9
	for submit@debbugs.gnu.org; Fri, 26 Mar 2021 18:40:11 -0400
Received: from andre.telenet-ops.be ([195.130.132.53]:35698)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@telenet.be>) id 1lPv7g-0000yy-Db
 for 47422@debbugs.gnu.org; Fri, 26 Mar 2021 18:40:09 -0400
Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d])
 by andre.telenet-ops.be with bizsmtp
 id lAg6240050mfAB401Ag6iG; Fri, 26 Mar 2021 23:40:06 +0100
Message-ID: <1bc26f41f7a30bb04777b5a654acddbcfc3ea54c.camel@telenet.be>
Subject: Re: bug#47422: tar is vulnerable to CVE-2021-20193
From: Maxime Devos <maximedevos@telenet.be>
To: Léo Le Bouter <lle-bout@zaclys.net>, 
 47422@debbugs.gnu.org
Date: Fri, 26 Mar 2021 23:40:01 +0100
In-Reply-To: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net>
References: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net>
Content-Type: multipart/signed; micalg="pgp-sha256";
 protocol="application/pgp-signature"; boundary="=-laPHBg9jnW2hDJWJB8ls"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1616798406; bh=yZlZUvKcc7j+1UfuMmn5eeSkLLpS2tZMJ3ivkqVXS90=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=llkb4wyySfOiT6Dxiilwpr6nWrrPxV7G97hrCv/Nwrej+gdd43HIi7jM/D5hYuuwW
 qyGqyhcgJeHxn4vMbTrX6JdHwRdNnboTf7RFWM3jUelMcPOCEAnn/0Hml6WDOrGAFM
 tWQXq+rveDxD4U+yRGZ6lwhHbw5nYVSkQ4rvbKIdyBJaDjhrMGR904h5niSWBZjg5U
 ScdHjJG6InpAsrIvKOm5WMopbgRNVposDCUn4T4ZVmRdZtiSQWXi9GIDahK3x9Xoq6
 lVGPVQBpCuzOarCOJsDdtCe5rmJWFAKIidGBtzi8hzBCQu+AivxduJdabkzQwPYfbk
 NDRL+DCxsedxQ==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47422
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
On Fri, 2021-03-26 at 22:30 +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-20193	18:15

> A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw
> allows an attacker who can submit a crafted input file to tar to cause
> uncontrolled consumption of memory. The highest threat from this
> vulnerability is to system availability.
> 
> Patch available here: 
> https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
> 
> Unreleased for now.

There has been a 1.34 release (a git tag is missing, but see
https://git.savannah.gnu.org/cgit/tar.git/log/ ‘maint: 1.34 announcement update’).

> We can probably apply it in core-updates now,

That's done already
(https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/base.scm?id=core-updates#n178)

>  we should fix it in master also, since grafts don't apply to GNU Guix builds is that OK?

Technically, there won't be any trouble (except increased time spent grafting I guess),
but ...

> GNU Guix packages don't unpack arbitrary tarballs since we hardcode
> hashes for verification, but still

It's ‘merely’ a denial-of-service attack.  Perhaps relevant to Software Heritage
though (idk if they use Guix).  So no big rush, but still nice to fix.

Thanks for looking at this (& other potential security issues),
Greetings, Maxime.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 10:00:57 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.