Léo Le Bouter <lle-bout@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 21:31:08 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 26 17:31:08 2021 Received: from localhost ([127.0.0.1]:42691 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lPu2u-0005fI-AW for submit <at> debbugs.gnu.org; Fri, 26 Mar 2021 17:31:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:38598) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lle-bout@HIDDEN>) id 1lPu2t-0005fB-6x for submit <at> debbugs.gnu.org; Fri, 26 Mar 2021 17:31:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51202) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>) id 1lPu2s-0001T0-W9 for bug-guix@HIDDEN; Fri, 26 Mar 2021 17:31:07 -0400 Received: from mail.zaclys.net ([178.33.93.72]:40713) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>) id 1lPu2o-0005MR-5A for bug-guix@HIDDEN; Fri, 26 Mar 2021 17:31:06 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QLUvgM036157 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <bug-guix@HIDDEN>; Fri, 26 Mar 2021 22:30:57 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QLUvgM036157 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@HIDDEN DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616794257; bh=bXqhcighirSjeOlxOe3oq71ARYgbsiLR6u884l3r2kE=; h=Subject:From:To:Date:From; b=X5SsX2wdoMhW3MK75+LVMqXrUjuIYTATcBC4JYSrJS4I0Yjq5ZEpEvjEZs80PDRFu 7YmQwi6rAyfzzWbo+ObDMwN6MQio5RYxKbxahufMeGARVyhYMWRLPRyUFKtgrdQFYr ztUgfssYBqpMW5mH3jYjxZSAbzdWBGUw0wqDFLUQ= Message-ID: <520e2097011aae1bfd9c20278e27e25813517b42.camel@HIDDEN> Subject: tar is vulnerable to CVE-2021-20193 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN> To: bug-guix@HIDDEN Date: Fri, 26 Mar 2021 22:30:57 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-vcrxFeFFAUdkPoLS4Qjo" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --=-vcrxFeFFAUdkPoLS4Qjo Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-20193 18:15 A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability. Patch available here:=20 https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3Dd9d4435692150fa8ff68= e1b1a473d187cc3fd777 Unreleased for now. We can probably apply it in core-updates now, we should fix it in master also, since grafts don't apply to GNU Guix builds is that OK? GNU Guix packages don't unpack arbitrary tarballs since we hardcode hashes for verification, but still. --=-vcrxFeFFAUdkPoLS4Qjo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeUpEACgkQRaix6GvN EKaWrA//Y2BwKy6QO9/cWqwZRS7BEPianKnio3VqzdGkgCuRi+9GYlyHVeK9wSgC /TZWz1xB/6pqLJFlH6dKNr9cmEjxVFJRGRNRyfvHgtHwzf/5/mYmcYYHA4d2Ccl4 9+UU1NZCRZSZkjFrVMGZ682HIUe5CQ3MzOVWxbaSdo1jecFnk/pHkDqWr8tJKCFL vo9OHLmhHVHZcExStWJXDM37iSyHw+XAumzURci/sDZy7lxmh6QhtRPjnKaKDaI6 +ppWjaY8kDHWnbRRm5sdMsKNXXeGEbx10ATfay5v3PWqZoi63nGF1NVgBmM57gE1 L8dwBJtt8apzKOdiulc77Wrc8isdWhp/qE9078gKQdOnBBiG8cdzbnMuxrTBnL12 afDOkfH25IJ+Uv2c4ZQdg/O6J9bqIj/Fw5yIIIbCviHil3mV4A2LczBOD3rOol5F D5JkrHJ/Nx7lbPviyt/fEye4sqBaiy8PlZxvLmp02WrDXTUEaxCTE1Q8Jga94/Tk jneMtuXRa1ivj81GP81bs31C36+cz+aCBcsz0Xp2MCPHOv43BwxLwvAMxvq/nQdZ AZNAYsUCSEaxklhjrl4kGwXteBf/qMgDp5iYBmdGhS+vMggapgXZqfbkJ04kq2ny JaYZ+i3iPdzRxFYyTG7L3vzkBuY5E519NrNO8rSiYjlUCjCnICs= =e+Y2 -----END PGP SIGNATURE----- --=-vcrxFeFFAUdkPoLS4Qjo--
Léo Le Bouter <lle-bout@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#47422
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.