From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id cEeiN99SXmBnTgAAgWs5BA (envelope-from ) for ; Fri, 26 Mar 2021 22:32:15 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id oL+HMd9SXmCFFQAA1q6Kng (envelope-from ) for ; Fri, 26 Mar 2021 21:32:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4F7671B1F9 for ; Fri, 26 Mar 2021 22:32:15 +0100 (CET) Received: from localhost ([::1]:37030 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPu3y-0001Xe-Gh for larch@yhetil.org; Fri, 26 Mar 2021 17:32:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51300) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPu3m-0001XE-Md for bug-guix@gnu.org; Fri, 26 Mar 2021 17:32:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59378) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lPu3m-0005m1-F2 for bug-guix@gnu.org; Fri, 26 Mar 2021 17:32:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lPu3m-0005gR-9h for bug-guix@gnu.org; Fri, 26 Mar 2021 17:32:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47422: tar is vulnerable to CVE-2021-20193 Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 26 Mar 2021 21:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47422 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47422@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161679426821784 (code B ref -1); Fri, 26 Mar 2021 21:32:02 +0000 Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 21:31:08 +0000 Received: from localhost ([127.0.0.1]:42691 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPu2u-0005fI-AW for submit@debbugs.gnu.org; Fri, 26 Mar 2021 17:31:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:38598) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPu2t-0005fB-6x for submit@debbugs.gnu.org; Fri, 26 Mar 2021 17:31:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51202) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPu2s-0001T0-W9 for bug-guix@gnu.org; Fri, 26 Mar 2021 17:31:07 -0400 Received: from mail.zaclys.net ([178.33.93.72]:40713) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPu2o-0005MR-5A for bug-guix@gnu.org; Fri, 26 Mar 2021 17:31:06 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QLUvgM036157 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 26 Mar 2021 22:30:57 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QLUvgM036157 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616794257; bh=bXqhcighirSjeOlxOe3oq71ARYgbsiLR6u884l3r2kE=; h=Subject:From:To:Date:From; b=X5SsX2wdoMhW3MK75+LVMqXrUjuIYTATcBC4JYSrJS4I0Yjq5ZEpEvjEZs80PDRFu 7YmQwi6rAyfzzWbo+ObDMwN6MQio5RYxKbxahufMeGARVyhYMWRLPRyUFKtgrdQFYr ztUgfssYBqpMW5mH3jYjxZSAbzdWBGUw0wqDFLUQ= Message-ID: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net> Date: Fri, 26 Mar 2021 22:30:57 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-vcrxFeFFAUdkPoLS4Qjo" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616794335; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=bXqhcighirSjeOlxOe3oq71ARYgbsiLR6u884l3r2kE=; b=VgZB0p1e2o3CcR7cXfqzcyFNHfRZHAUbefGbyELFpLxay62ERVGnsTq6wUcFhxG3LDWURo MktE/p4NMmpMfMWz6yid97TYnELsoT5wv4LhT2YhA37RaILyKvGrUvwvpifREjAOUn7YQq X9FUf1lzYMgOSWnx/AvVn3Rp86t77GCgy+bqduPVJoNnjMJR/xTmqFsZqmiUowi26PPxHe Zh3UEqs/40MUbnkadGhRz4NGKymoGmhxZsF6bNPPERoS4W9t7V+SLKa8l9fvoL/GLRwIb2 bHCpiSrkJGBFROA8ympe1FzRCBCE0De0M9hrTxzFwUi1+C5ZeZw5MBqW5VUiOQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616794335; a=rsa-sha256; cv=none; b=P8aVjpZDBeV9/W/CtMLLupkkrBiptQeJVXFA9hsJApQY/Zswo591i363UpBi8LfYBhZoQp XuTt4hy/jYKVenUbqV8wpA4mXAVK4VVs7grbY5lmxAm2iHpc0lzFz45KaD/LHzv+Tsiw/7 vktIDu8FKIWXft7ZUoeYuCuTJiSQdKFpUN4GJ0QJO8Rw8hlAqKaPs8G85aQhNPFX6Qag3X mgx9FGaXrfCVZzivm8tuPgA9QUTS2mJUglHi0djAaVlJkVM8C//cwbKruz8SDIetGMbfmH LzxHGI572Yt61Z8fHgb1EBOLT3nVcIADyfo5gBSaBWauWX695ytlrqv2kDGSkA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=X5SsX2wd; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -5.02 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=X5SsX2wd; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 4F7671B1F9 X-Spam-Score: -5.02 X-Migadu-Scanner: scn0.migadu.com X-TUID: UjsKRCSUZ3k/ --=-vcrxFeFFAUdkPoLS4Qjo Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-20193 18:15 A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability. Patch available here:=20 https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3Dd9d4435692150fa8ff68= e1b1a473d187cc3fd777 Unreleased for now. We can probably apply it in core-updates now, we should fix it in master also, since grafts don't apply to GNU Guix builds is that OK? GNU Guix packages don't unpack arbitrary tarballs since we hardcode hashes for verification, but still. --=-vcrxFeFFAUdkPoLS4Qjo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeUpEACgkQRaix6GvN EKaWrA//Y2BwKy6QO9/cWqwZRS7BEPianKnio3VqzdGkgCuRi+9GYlyHVeK9wSgC /TZWz1xB/6pqLJFlH6dKNr9cmEjxVFJRGRNRyfvHgtHwzf/5/mYmcYYHA4d2Ccl4 9+UU1NZCRZSZkjFrVMGZ682HIUe5CQ3MzOVWxbaSdo1jecFnk/pHkDqWr8tJKCFL vo9OHLmhHVHZcExStWJXDM37iSyHw+XAumzURci/sDZy7lxmh6QhtRPjnKaKDaI6 +ppWjaY8kDHWnbRRm5sdMsKNXXeGEbx10ATfay5v3PWqZoi63nGF1NVgBmM57gE1 L8dwBJtt8apzKOdiulc77Wrc8isdWhp/qE9078gKQdOnBBiG8cdzbnMuxrTBnL12 afDOkfH25IJ+Uv2c4ZQdg/O6J9bqIj/Fw5yIIIbCviHil3mV4A2LczBOD3rOol5F D5JkrHJ/Nx7lbPviyt/fEye4sqBaiy8PlZxvLmp02WrDXTUEaxCTE1Q8Jga94/Tk jneMtuXRa1ivj81GP81bs31C36+cz+aCBcsz0Xp2MCPHOv43BwxLwvAMxvq/nQdZ AZNAYsUCSEaxklhjrl4kGwXteBf/qMgDp5iYBmdGhS+vMggapgXZqfbkJ04kq2ny JaYZ+i3iPdzRxFYyTG7L3vzkBuY5E519NrNO8rSiYjlUCjCnICs= =e+Y2 -----END PGP SIGNATURE----- --=-vcrxFeFFAUdkPoLS4Qjo--