Bug 1202316 - (CVE-2021-33643) VUL-0: CVE-2021-33643: libtar: out-of-bounds read with a size in header struct being 0
(CVE-2021-33643)
VUL-0: CVE-2021-33643: libtar: out-of-bounds read with a size in header struc...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Martin Pluskal
Security Team bot
https://smash.suse.de/issue/339540/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-11 06:42 UTC by Thomas Leroy
Modified: 2022-08-11 07:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-08-11 06:42:02 UTC
CVE-2021-33643

An attacker who submits a crafted tar file with size in header struct being 0
may be able to trigger an calling of malloc(0) for a variable gnu_longlink,
causing an out-of-bounds read.

openeuler version patch:
https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33643-CVE-2021-33644.patch

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33643
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807
Comment 1 Thomas Leroy 2022-08-11 06:43:38 UTC
The following codestreams are affected:
- openSUSE:Backports:SLE-15-SP3:Update
- openSUSE:Backports:SLE-15-SP4:Update
- openSUSE:Factory