[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
** Changed in: tar (Ubuntu Bionic) Status: New => Fix Released ** Changed in: tar (Ubuntu Focal) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: Fix Released Status in tar source package in Trusty: Fix Released Status in tar source package in Xenial: Fix Released Status in tar source package in Bionic: Fix Released Status in tar source package in Focal: Fix Released Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
This bug was fixed in the tagged releases https://ubuntu.com/security/notices/USN-5329-1 General changelog: * SECURITY UPDATE: Denial of service (LP: #1912091) - debian/patches/CVE-2021-20193.patch: in read_header method in src/list.c, change the return value to be the value of status and break the execution, jumping to free next_long_name and next_long_link before returning. - CVE-2021-20193 ** Also affects: tar (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: tar (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: tar (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: tar (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: tar (Ubuntu Trusty) Status: New => Fix Released ** Changed in: tar (Ubuntu Xenial) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: Fix Released Status in tar source package in Trusty: Fix Released Status in tar source package in Xenial: Fix Released Status in tar source package in Bionic: Fix Released Status in tar source package in Focal: Fix Released Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
The fix is in the newer version which is included in the current Ubuntu https://bugs.launchpad.net/ubuntu/+source/tar/1.34+dfsg-1 it still need to be applied to older series though ** Changed in: tar (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: Fix Released Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
** Changed in: tar (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: Triaged Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
** Changed in: tar (Ubuntu) Importance: Undecided => Low ** Tags removed: security tar ** Tags added: focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: New Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
Update: CVE-2021-20193 has been assigned to this vulnerability by Red Hat Security team. --- Carlos ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20193 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: New Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912091] Re: Memory Leak GNU Tar 1.33
Update This vulnerability has been discussed with the developer. Developer has released a public fix. Original Post in GNU TAR Project: https://savannah.gnu.org/bugs/?59897 Commit with fix: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777 This thread can go public now. ** Bug watch added: GNU Savannah Bug Tracker #59897 http://savannah.gnu.org/bugs/?59897 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 Status in tar package in Ubuntu: New Bug description: An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application. Occastionally, ASAN detects an out of bounds memory read. Valgrind confirms the memory leak in the standard tar tool installed by default. This degrades the availability of the tar tool, and could potentially result in other memory-related issues. Common Weakness Enumeration IDs for reference: CWE-401: Missing Release of Memory after Effective Lifetime CWE-125: Out-of-bounds Read Attached to this report is a PoC malcrafted file "1311745-out- bounds.tar" VALGRIND OUTPUT: valgrind tar -xf 1311745-out-bounds.tar ==3776== Memcheck, a memory error detector ==3776== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3776== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==3776== Command: tar -xf output/1311745-out-bounds.tar ==3776== tar: Unexpected EOF in archive tar: Exiting with failure status due to previous errors ==3776== ==3776== HEAP SUMMARY: ==3776== in use at exit: 1,311,761 bytes in 2 blocks ==3776== total heap usage: 52 allocs, 50 frees, 1,349,212 bytes allocated ==3776== ==3776== LEAK SUMMARY: ==3776==definitely lost: 1,311,745 bytes in 1 blocks ... NOTE: Version 1.30, 1.32, 1.33 were tested and confirmed to be vulnerable. lsb_release -rd Description: Ubuntu 20.04.1 LTS Release: 20.04 apt-cache policy tar tar: Installed: 1.30+dfsg-7ubuntu0.20.04.1 Candidate: 1.30+dfsg-7ubuntu0.20.04.1 --- Carlos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1912091/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
