From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id OFbYLwljXmDEaQAAgWs5BA (envelope-from ) for ; Fri, 26 Mar 2021 23:41:13 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id uJ28KQljXmAiWgAAB5/wlQ (envelope-from ) for ; Fri, 26 Mar 2021 22:41:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4BD1912EA2 for ; Fri, 26 Mar 2021 23:41:13 +0100 (CET) Received: from localhost ([::1]:36254 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPv8i-0003Ua-Dn for larch@yhetil.org; Fri, 26 Mar 2021 18:41:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35706) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPv8Z-0003Sz-3s for bug-guix@gnu.org; Fri, 26 Mar 2021 18:41:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59495) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lPv8Y-0004nk-Rs for bug-guix@gnu.org; Fri, 26 Mar 2021 18:41:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lPv8Y-00011M-Pk for bug-guix@gnu.org; Fri, 26 Mar 2021 18:41:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47422: tar is vulnerable to CVE-2021-20193 Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 26 Mar 2021 22:41:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47422 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: =?UTF-8?Q?L=C3=A9o?= Le Bouter , 47422@debbugs.gnu.org Received: via spool by 47422-submit@debbugs.gnu.org id=B47422.16167984113821 (code B ref 47422); Fri, 26 Mar 2021 22:41:02 +0000 Received: (at 47422) by debbugs.gnu.org; 26 Mar 2021 22:40:11 +0000 Received: from localhost ([127.0.0.1]:42802 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPv7i-0000zT-V9 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 18:40:11 -0400 Received: from andre.telenet-ops.be ([195.130.132.53]:35698) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPv7g-0000yy-Db for 47422@debbugs.gnu.org; Fri, 26 Mar 2021 18:40:09 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by andre.telenet-ops.be with bizsmtp id lAg6240050mfAB401Ag6iG; Fri, 26 Mar 2021 23:40:06 +0100 Message-ID: <1bc26f41f7a30bb04777b5a654acddbcfc3ea54c.camel@telenet.be> From: Maxime Devos Date: Fri, 26 Mar 2021 23:40:01 +0100 In-Reply-To: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net> References: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-laPHBg9jnW2hDJWJB8ls" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1616798406; bh=yZlZUvKcc7j+1UfuMmn5eeSkLLpS2tZMJ3ivkqVXS90=; h=Subject:From:To:Date:In-Reply-To:References; b=llkb4wyySfOiT6Dxiilwpr6nWrrPxV7G97hrCv/Nwrej+gdd43HIi7jM/D5hYuuwW qyGqyhcgJeHxn4vMbTrX6JdHwRdNnboTf7RFWM3jUelMcPOCEAnn/0Hml6WDOrGAFM tWQXq+rveDxD4U+yRGZ6lwhHbw5nYVSkQ4rvbKIdyBJaDjhrMGR904h5niSWBZjg5U ScdHjJG6InpAsrIvKOm5WMopbgRNVposDCUn4T4ZVmRdZtiSQWXi9GIDahK3x9Xoq6 lVGPVQBpCuzOarCOJsDdtCe5rmJWFAKIidGBtzi8hzBCQu+AivxduJdabkzQwPYfbk NDRL+DCxsedxQ== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616798473; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=yZlZUvKcc7j+1UfuMmn5eeSkLLpS2tZMJ3ivkqVXS90=; b=JZmior1TU4/LkifMveMTsyslIoJExzzthCn91QGJgCwYP3JoEloOS4VU3O5V5xSflcEkL1 NLorTgsQvcgWw/BGrlmimvki1N+MDQMNhghGtRIaQ5mVeDZN4YycmaRq81eK+hLxNxaQm1 LezbSxIX6r4T9Hv0IoMIp4FDVtRpJAC0NqHovBa7Gv81H9F85v8DXZzZIA/ndlpGgT397L 8TmvYjEfjiIzpZ2en9CpJQxwt3fzgxr5cWgHzINPukImjZj7h4xmiIy+ETWMkE/W+d0n2n R6NSAaiR/qznoW+UydEijMEF2tS0e9ULRzNEdQ6+oTIIJ6RfjNi2vsMX2lzscg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616798473; a=rsa-sha256; cv=none; b=AQCs75PEqPBiKHm2eGacsJE5etfmRQj62qHmEKJiKY6mplZ1VGEh+Qiyz75BPJBe3Vxap2 w33jdkjIomS0UyzYY6es2gWK0sbuy5OcKgxNjHxe5PqB/HmlOsAasYEndg/+vNqlJ8iVSB 9JTzMlZ4Ha0BfqKAZPeRaRAS0HwGvkTkIgLmskTf/ROhgLRiziJF47Qq39Ctkh0pF43tMB p6b9hPwo9ceUY72AIN/+Hsl9XDruo5ZdtXKi6+mgCkrtQOl7mNmlkhvGgPp0ENYPdF+tC3 +Niuh84fo8rewue/IvfFnOMKuna0bSneYXrJ+rLFZN9SBFcOvgtcRrzqTlW+HQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=llkb4wyy; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=llkb4wyy; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 4BD1912EA2 X-Spam-Score: -3.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: f1kPPR13RE33 --=-laPHBg9jnW2hDJWJB8ls Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2021-03-26 at 22:30 +0100, L=C3=A9o Le Bouter via Bug reports for G= NU Guix wrote: > CVE-2021-20193 18:15 > A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw > allows an attacker who can submit a crafted input file to tar to cause > uncontrolled consumption of memory. The highest threat from this > vulnerability is to system availability. >=20 > Patch available here:=20 > https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3Dd9d4435692150fa8ff= 68e1b1a473d187cc3fd777 >=20 > Unreleased for now. There has been a 1.34 release (a git tag is missing, but see https://git.savannah.gnu.org/cgit/tar.git/log/ =E2=80=98maint: 1.34 announc= ement update=E2=80=99). > We can probably apply it in core-updates now, That's done already (https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/base.scm?id= =3Dcore-updates#n178) > we should fix it in master also, since grafts don't apply to GNU Guix bu= ilds is that OK? Technically, there won't be any trouble (except increased time spent grafti= ng I guess), but ... > GNU Guix packages don't unpack arbitrary tarballs since we hardcode > hashes for verification, but still It's =E2=80=98merely=E2=80=99 a denial-of-service attack. Perhaps relevant= to Software Heritage though (idk if they use Guix). So no big rush, but still nice to fix. Thanks for looking at this (& other potential security issues), Greetings, Maxime. --=-laPHBg9jnW2hDJWJB8ls Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF5iwRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7r/eAQDyc6qat9RI4aaTAOy5C3e28f/c /TqfotO3J0egywhzXQD9Fykp3dvj/EiKCGagipnNiJt5zT0TzPr4MsLBVlkqVA8= =jYVF -----END PGP SIGNATURE----- --=-laPHBg9jnW2hDJWJB8ls--