A vulnerability has been discovered in GNU Tar which may lead to an out of bounds read.
Package | app-arch/tar on all architectures |
---|---|
Affected versions | < 1.34-r3 |
Unaffected versions | >= 1.34-r3 |
The GNU Tar program provides the ability to create tar archives, as well as various other kinds of manipulation.
A vulnerability have been discovered in GNU Tar. Please review the CVE identifier referenced below for details.
GNU Tar has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs via a V7 archive in which mtime has approximately 11 whitespace characters.
There is no known workaround at this time.
All GNU Tar users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/tar-1.34-r3"
Release date
February 18, 2024
Latest revision
February 18, 2024: 1
Severity
high
Exploitable
remote
Bugzilla entries