[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
Update: CVE-2021-20193 has been assigned to this vulnerability by Red Hat Security team. --- Carlos ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20193 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: New Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
Update This vulnerability has been discussed with the developer. Developer has released a public fix. Original Post in GNU TAR Project: https://savannah.gnu.org/bugs/?59897 Commit with fix: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777 This thread can go public now. ** Bug watch added: GNU Savannah Bug Tracker #59897 http://savannah.gnu.org/bugs/?59897 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: New Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
