Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libtar for openSUSE:Factory checked in at 2026-06-22 17:35:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libtar (Old) and /work/SRC/openSUSE:Factory/.libtar.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libtar" Mon Jun 22 17:35:09 2026 rev:3 rq:1360868 version:1.2.20 Changes: -------- --- /work/SRC/openSUSE:Factory/libtar/libtar.changes 2018-07-06 10:42:33.955214022 +0200 +++ /work/SRC/openSUSE:Factory/.libtar.new.1956/libtar.changes 2026-06-22 17:35:17.602053560 +0200 @@ -1,0 +2,15 @@ +Sun Jun 21 16:45:25 UTC 2026 - Martin Pluskal <[email protected]> + +- Add upstream-pending security fixes (backported via Fedora): + * libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch: fix + out-of-bounds read in gnu_long{name,link} + (CVE-2021-33643, boo#1202316; CVE-2021-33644, boo#1202317) + * libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch: free memory + allocated by the gnu_long{name,link} fields, fixing the memory + leaks (CVE-2021-33645, boo#1202319; CVE-2021-33646, boo#1202320) + without re-introducing the use-after-free that an incorrect leak + fix otherwise causes (CVE-2021-33640, boo#1206547) +- Modernize spec: drop RPM groups, use pkgconfig(zlib) and + %ldconfig_scriptlets + +------------------------------------------------------------------- New: ---- libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch ----------(New B)---------- New:- Add upstream-pending security fixes (backported via Fedora): * libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch: fix out-of-bounds read in gnu_long{name,link} New: (CVE-2021-33643, boo#1202316; CVE-2021-33644, boo#1202317) * libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch: free memory allocated by the gnu_long{name,link} fields, fixing the memory ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libtar.spec ++++++ --- /var/tmp/diff_new_pack.3VYpQ4/_old 2026-06-22 17:35:18.774094805 +0200 +++ /var/tmp/diff_new_pack.3VYpQ4/_new 2026-06-22 17:35:18.778094945 +0200 @@ -1,7 +1,7 @@ # # spec file for package libtar # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -21,7 +21,6 @@ Release: 0 Summary: Tar file manipulation API License: BSD-3-Clause -Group: Development/Libraries/C and C++ URL: http://www.feep.net/libtar/ Source0: libtar-%{version}.tar.bz2 # PATCH-FIX-UPSTREAM adding missing headers @@ -34,11 +33,16 @@ Patch6: libtar-1.2.11-bz729009.patch # PATCH-FIX-UPSTREAM do not use a static buffer as return value Patch7: libtar-1.2.20-no-static-buffer.patch +# OOB read in gnu_long{name,link} (CVE-2021-33643, CVE-2021-33644) - via Fedora +Patch8: libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch +# memory leaks + the resulting use-after-free in gnu_long{name,link} +# (CVE-2021-33645, CVE-2021-33646, CVE-2021-33640) - via Fedora +Patch9: libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes BuildRequires: libtool -BuildRequires: zlib-devel +BuildRequires: pkgconfig(zlib) %description libtar is a C library for manipulating POSIX tar files. It handles adding @@ -46,7 +50,6 @@ %package -n libtar1 Summary: Shared library for libtar -Group: System/Libraries %description -n libtar1 libtar is a C library for manipulating POSIX tar files. It handles adding @@ -56,7 +59,6 @@ %package devel Summary: Development files for libtar -Group: Development/Libraries/C and C++ Requires: %{name} = %{version}-%{release} %description devel @@ -88,8 +90,7 @@ # we dont want to ship these find %{buildroot} -type f -name "*.la" -delete -print -%post -n libtar1 -p /sbin/ldconfig -%postun -n libtar1 -p /sbin/ldconfig +%ldconfig_scriptlets -n libtar1 %files %license COPYRIGHT ++++++ libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch ++++++ >From 3936c7aa74d89e7a91dfbb2c1b7bfcad58a0355d Mon Sep 17 00:00:00 2001 From: shixuantong <[email protected]> Date: Wed, 6 Apr 2022 17:40:57 +0800 Subject: [PATCH 1/2] Ensure that sz is greater than 0. --- lib/block.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/block.c b/lib/block.c index 092bc28..f12c4bc 100644 --- a/lib/block.c +++ b/lib/block.c @@ -118,6 +118,11 @@ th_read(TAR *t) if (TH_ISLONGLINK(t)) { sz = th_get_size(t); + if ((int)sz <= 0) + { + errno = EINVAL; + return -1; + } blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); if (blocks > ((size_t)-1 / T_BLOCKSIZE)) { @@ -168,6 +173,11 @@ th_read(TAR *t) if (TH_ISLONGNAME(t)) { sz = th_get_size(t); + if ((int)sz <= 0) + { + errno = EINVAL; + return -1; + } blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); if (blocks > ((size_t)-1 / T_BLOCKSIZE)) { -- 2.37.1 ++++++ libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch ++++++ >From 78e95da690556874baac96dd1d655e577c6d8e95 Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[email protected]> Date: Tue, 4 Oct 2022 10:39:35 +0200 Subject: [PATCH] free memory allocated by gnu_long* fields --- lib/handle.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/handle.c b/lib/handle.c index 28a7dc2..18bd8dc 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -122,8 +122,11 @@ tar_close(TAR *t) libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY ? free : (libtar_freefunc_t)tar_dev_free)); - if (t->th_pathname != NULL) - free(t->th_pathname); + + free(t->th_pathname); + free(t->th_buf.gnu_longname); + free(t->th_buf.gnu_longlink); + free(t); return i; -- 2.38.1
