On Fri, 2021-03-26 at 22:30 +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-20193	18:15

> A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw
> allows an attacker who can submit a crafted input file to tar to cause
> uncontrolled consumption of memory. The highest threat from this
> vulnerability is to system availability.
> 
> Patch available here: 
> https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
> 
> Unreleased for now.

There has been a 1.34 release (a git tag is missing, but see
https://git.savannah.gnu.org/cgit/tar.git/log/ ‘maint: 1.34 announcement update’).

> We can probably apply it in core-updates now,

That's done already
(https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/base.scm?id=core-updates#n178)

>  we should fix it in master also, since grafts don't apply to GNU Guix builds is that OK?

Technically, there won't be any trouble (except increased time spent grafting I guess),
but ...

> GNU Guix packages don't unpack arbitrary tarballs since we hardcode
> hashes for verification, but still

It's ‘merely’ a denial-of-service attack.  Perhaps relevant to Software Heritage
though (idk if they use Guix).  So no big rush, but still nice to fix.

Thanks for looking at this (& other potential security issues),
Greetings, Maxime.