StarlingX

[Debian] Medium CVE: CVE-2022-48303/CVE-2023-39804 tar : multiple CVEs

Bug #2052926 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Wentao Zhang

Bug Description

CVE-2022-48303: https://nvd.nist.gov/vuln/detail/CVE-2022-48303

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

CVE-2023-39804: https://nvd.nist.gov/vuln/detail/CVE-2023-39804

None

Base Score: Medium

Reference:

['tar_1.34+dfsg-1_amd64.deb===>tar_1.34+dfsg-1+deb11u1_amd64.deb']

CVE References

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/910298

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/910298
Committed: https://opendev.org/starlingx/tools/commit/4dae7592e5eabbb49a00d4c68aa02e54f4807c92
Submitter: "Zuul (22348)"
Branch: master

commit 4dae7592e5eabbb49a00d4c68aa02e54f4807c92
Author: Wentao Zhang <email address hidden>
Date: Tue Feb 27 13:48:39 2024 +0800

    Debian: tar : fix CVE-2022-48303/CVE-2023-39804

    Upgrade tar to 1.34+dfsg-1+deb11u1

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2022-48303
    https://nvd.nist.gov/vuln/detail/CVE-2023-39804

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2052926

    Change-Id: Iafa9152957b51cef162c318e3499457c276c041c
    Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Wentao Zhang (wzhang4)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.