Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| feep | libtar | 1.2.14 |
| redhat | enterprise_linux | 6.0 |
| feep | libtar | 1.2.15 |
| feep | libtar | 1.2.16 |
| feep | libtar | 1.2.13 |
| feep | libtar | 1.2.17 |
| feep | libtar | 1.2.18 |
| feep | libtar | 1.2.11 |
| feep | libtar | * |
Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| feep | libtar | 1.2.19 |
| feep | libtar | 1.2.14 |
| feep | libtar | 1.2.15 |
| feep | libtar | 1.2.16 |
| feep | libtar | 1.2.13 |
| feep | libtar | 1.2.17 |
| feep | libtar | 1.2.18 |
| feep | libtar | 1.2.11 |
| feep | libtar | * |
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 35 |
| huawei | openeuler | 22.03 |
| huawei | openeuler | 20.03 |
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| feep | libtar | * |
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 35 |
| huawei | openeuler | 22.03 |
| huawei | openeuler | 20.03 |
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| feep | libtar | * |
The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 35 |
| huawei | openeuler | 22.03 |
| huawei | openeuler | 20.03 |
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| feep | libtar | * |
The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 35 |
| huawei | openeuler | 22.03 |
| huawei | openeuler | 20.03 |
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| feep | libtar | * |