Gentoo: GLSA-202402-12: GNU Tar: Out of Bounds Read
Summary
A vulnerability have been discovered in GNU Tar. Please review the CVE
identifier referenced below for details.
Resolution
All GNU Tar users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/tar-1.34-r3"
References
[ 1 ] CVE-2022-48303
https://nvd.nist.gov/vuln/detail/CVE-2022-48303
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202402-12
Concerns
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
Synopsis
A vulnerability has been discovered in GNU Tar which may lead to an out
of bounds read.
Background
The GNU Tar program provides the ability to create tar archives, as well
as various other kinds of manipulation.
Affected Packages
Package Vulnerable Unaffected
------------ ------------ ------------
app-arch/tar < 1.34-r3 >= 1.34-r3
Impact
GNU Tar has a one-byte out-of-bounds read that results in use of
uninitialized memory for a conditional jump. Exploitation to change the
flow of control has not been demonstrated. The issue occurs via a V7
archive in which mtime has approximately 11 whitespace characters.
Workaround
There is no known workaround at this time.