Arch Linux 804 Published by

A tar security update has been released for Arch Linux.



ASA-202102-41: tar: denial of service


Arch Linux Security Advisory ASA-202102-41
=========================================
Severity: Low
Date : 2021-02-27
CVE-ID : CVE-2021-20193
Package : tar
Type : denial of service
Remote : No
Link :   https://security.archlinux.org/AVG-1462

Summary
======
The package tar before version 1.34-1 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 1.34-1.

# pacman -Syu "tar>=1.34-1"

The problem has been fixed upstream in version 1.34.

Workaround
=========
None.

Description
==========
An issue was discovered in GNU Tar before version 1.34. There is a
memory leak in read_header() in list.c in the tar application.

Impact
=====
A crafted tar archive can crash the application.

References
=========
  https://bugzilla.redhat.com/show_bug.cgi?id17565
  https://savannah.gnu.org/bugs/?59897
  https://git.savannah.gnu.org/cgit/tar.git/commit/?id?d4435692150fa8ff68e1b1a473d187cc3fd777
  https://security.archlinux.org/CVE-2021-20193