Memory Leak GNU Tar 1.33

Bug #1912091 reported by Carlos Andres Ramirez
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tar (Ubuntu)
Fix Released
Low
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned

Bug Description

An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues.

Common Weakness Enumeration IDs for reference:
CWE-401: Missing Release of Memory after Effective Lifetime
CWE-125: Out-of-bounds Read

Attached to this report is a PoC malcrafted file "1311745-out-bounds.tar"

VALGRIND OUTPUT:
valgrind tar -xf 1311745-out-bounds.tar
==3776== Memcheck, a memory error detector
==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==3776== Command: tar -xf output/1311745-out-bounds.tar
==3776==
tar: Unexpected EOF in archive
tar: Exiting with failure status due to previous errors
==3776==
==3776== HEAP SUMMARY:
==3776== in use at exit: 1,311,761 bytes in 2 blocks
==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated
==3776==
==3776== LEAK SUMMARY:
==3776== definitely lost: 1,311,745 bytes in 1 blocks
...

NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable.

lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04

apt-cache policy tar
tar:
  Installed: 1.30+dfsg-7ubuntu0.20.04.1
  Candidate: 1.30+dfsg-7ubuntu0.20.04.1

---
Carlos

Tags: focal

CVE References

Revision history for this message
Carlos Andres Ramirez (carlos-andres-ramirez) wrote :
Revision history for this message
Carlos Andres Ramirez (carlos-andres-ramirez) wrote :

Update
This vulnerability has been discussed with the developer.
Developer has released a public fix.

Original Post in GNU TAR Project:
https://savannah.gnu.org/bugs/?59897

Commit with fix:
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777

This thread can go public now.

information type: Private Security → Public Security
Revision history for this message
Carlos Andres Ramirez (carlos-andres-ramirez) wrote :

Update:

CVE-2021-20193 has been assigned to this vulnerability by Red Hat Security team.

---
Carlos

Mathew Hodson (mhodson)
Changed in tar (Ubuntu):
importance: Undecided → Low
tags: added: focal
removed: security tar
Steve Beattie (sbeattie)
Changed in tar (Ubuntu):
status: New → Triaged
Revision history for this message
Sebastien Bacher (seb128) wrote :

The fix is in the newer version which is included in the current Ubuntu
https://bugs.launchpad.net/ubuntu/+source/tar/1.34+dfsg-1
it still need to be applied to older series though

Changed in tar (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote (last edit ):

This bug was fixed in the tagged releases
https://ubuntu.com/security/notices/USN-5329-1

General changelog:
  * SECURITY UPDATE: Denial of service (LP: #1912091)
    - debian/patches/CVE-2021-20193.patch: in read_header method in
      src/list.c, change the return value to be the value of status
      and break the execution, jumping to free next_long_name and
      next_long_link before returning.
    - CVE-2021-20193

Changed in tar (Ubuntu Trusty):
status: New → Fix Released
Changed in tar (Ubuntu Xenial):
status: New → Fix Released
Changed in tar (Ubuntu Bionic):
status: New → Fix Released
Changed in tar (Ubuntu Focal):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.