Alan Coopersmith <[email protected]> writes: > Red Hat appears to have assigned CVE-2026-5704 to this issue. > > Paul Eggert provided a patch in > https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00011.html > which is also available in > https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=b8d8a61b25588caca4efaf9bdd2e3f1a49da77e3 > > https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00012.html points out > that a similar report was also included in > https://lists.gnu.org/archive/html/bug-tar/2026-02/msg00022.html > along with a number of other bug reports.
Not directly related to the issues in GNU tar, but one of the reports you shared [1]. See the following text: > I am happy to coordinate on a disclosure timeline. Please let me know > if you need additional information or testing. This is one of many examples I have seen lately of people writing as if they were sending private messages on a public list. I assume it is a common LLM hallucination? I find it mildly annoying, especially since it is often paired with total slop. I guess in this case it isn't a bug deal since it is associated with an actual issue. For a worse example, see a recent bug report in GNU coreutils claiming that the 'printf' command allowed for remote code execution because it allows the user the control the format string [2]. Which is made worse by it just making up code that doesn't exist. Collin [1] https://lists.gnu.org/archive/html/bug-tar/2026-03/msg00007.html [2] https://bugs.gnu.org/80802
