Bugzilla – Bug 1181131
VUL-0: CVE-2021-20193: tar: Memory leak in read_header() in list.c
Last modified: 2022-05-05 19:18:01 UTC
CVE-2021-20193 An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Memory pointed to by `next_long_name` and `next_long_link` was not being freed upon return of the `read_header()` routine in src/list.c. An attacker who provided a specially crafted input file to tar could cause an impact to application availability. The patch changes `read_header()` to not return before freeing memory pointed to by `next_long_name` and `next_long_link`. Upstream issue: https://savannah.gnu.org/bugs/?59897 Upstream patch: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777 Affected versions: GNU Tar 1.33 and earlier It is suggested to apply a version bump in Factory as well. References: https://bugzilla.redhat.com/show_bug.cgi?id=1917565 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20193
Created attachment 845283 [details] PoC - Test case for memory leak/crash This is the .tar test case from my original report. This can be used as reproducer with Valgrind to confirm the memory leak before the crash.
BEFORE 15,12,11/tar $ valgrind -q --leak-check=full tar xf 1311745-out-bounds.tar tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==4834== 46 (40 direct, 6 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 4 ==4834== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==4834== by 0x151348: xmalloc (xmalloc.c:41) ==4834== by 0x1127C1: decode_options (tar.c:2271) ==4834== by 0x1127C1: main (tar.c:2698) ==4834== ==4834== 1,311,745 bytes in 1 blocks are definitely lost in loss record 4 of 4 ==4834== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==4834== by 0x151348: xmalloc (xmalloc.c:41) ==4834== by 0x1287D9: read_header (list.c:475) ==4834== by 0x129ED2: read_and (list.c:183) ==4834== by 0x112FCE: main (tar.c:2729) ==4834== $ PATCH referenced in comment 0 AFTER 15,12,11/tar 11/tar $ valgrind -q --leak-check=full tar xf 1311745-out-bounds.tar tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==26065== 46 (40 direct, 6 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 3 ==26065== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26065== by 0x151368: xmalloc (xmalloc.c:41) ==26065== by 0x1127C1: decode_options (tar.c:2271) ==26065== by 0x1127C1: main (tar.c:2698) ==26065== $
Submitted for: 15,12,11/tar. I believe all fixed.
SUSE-SU-2021:0974-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1181131 CVE References: CVE-2021-20193 JIRA References: Sources used: SUSE MicroOS 5.0 (src): tar-1.30-3.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): tar-1.30-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0975-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1181131 CVE References: CVE-2021-20193 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): tar-1.27.1-15.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0494-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1181131 CVE References: CVE-2021-20193 JIRA References: Sources used: openSUSE Leap 15.2 (src): tar-1.30-lp152.4.3.1
fixed
SUSE-SU-2022:1548-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1029961,1120610,1130496,1181131 CVE References: CVE-2018-20482,CVE-2019-9923,CVE-2021-20193 JIRA References: Sources used: openSUSE Leap 15.3 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Micro 5.2 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Micro 5.1 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Micro 5.0 (src): tar-1.34-150000.3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.