{"schema_version":"1.7.2","id":"OESA-2022-1807","modified":"2022-08-05T11:04:05Z","published":"2022-08-05T11:04:05Z","upstream":["CVE-2021-33643","CVE-2021-33644","CVE-2021-33645","CVE-2021-33646"],"summary":"libtar security update","details":"Libtar is a C library for manipulating POSIX tar files. It handles adding and extracting files to/from a tar archive. Requires gcc, make, and zlib.\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.(CVE-2021-33643)\r\n\r\nAn attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.(CVE-2021-33644)\r\n\r\nThe th_read() function doesn’t free a variable t-\u0026gt;th_buf.gnu_longlink after allocating memory, which may cause a memory leak.(CVE-2021-33645)\r\n\r\nThe th_read() function doesn’t free a variable t-\u0026gt;th_buf.gnu_longname after allocating memory, which may cause a memory leak.(CVE-2021-33646)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"libtar","purl":"pkg:rpm/openEuler/libtar\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.20-19.oe1"}]}],"ecosystem_specific":{"aarch64":["libtar-1.2.20-19.oe1.aarch64.rpm","libtar-help-1.2.20-19.oe1.aarch64.rpm","libtar-debugsource-1.2.20-19.oe1.aarch64.rpm","libtar-devel-1.2.20-19.oe1.aarch64.rpm","libtar-debuginfo-1.2.20-19.oe1.aarch64.rpm"],"src":["libtar-1.2.20-19.oe1.src.rpm"],"x86_64":["libtar-devel-1.2.20-19.oe1.x86_64.rpm","libtar-1.2.20-19.oe1.x86_64.rpm","libtar-debuginfo-1.2.20-19.oe1.x86_64.rpm","libtar-debugsource-1.2.20-19.oe1.x86_64.rpm","libtar-help-1.2.20-19.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"libtar","purl":"pkg:rpm/openEuler/libtar\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.20-19.oe1"}]}],"ecosystem_specific":{"aarch64":["libtar-1.2.20-19.oe1.aarch64.rpm","libtar-devel-1.2.20-19.oe1.aarch64.rpm","libtar-debuginfo-1.2.20-19.oe1.aarch64.rpm","libtar-help-1.2.20-19.oe1.aarch64.rpm","libtar-debugsource-1.2.20-19.oe1.aarch64.rpm"],"src":["libtar-1.2.20-19.oe1.src.rpm"],"x86_64":["libtar-1.2.20-19.oe1.x86_64.rpm","libtar-debuginfo-1.2.20-19.oe1.x86_64.rpm","libtar-devel-1.2.20-19.oe1.x86_64.rpm","libtar-debugsource-1.2.20-19.oe1.x86_64.rpm","libtar-help-1.2.20-19.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS","name":"libtar","purl":"pkg:rpm/openEuler/libtar\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.20-21.oe2203"}]}],"ecosystem_specific":{"aarch64":["libtar-debugsource-1.2.20-21.oe2203.aarch64.rpm","libtar-help-1.2.20-21.oe2203.aarch64.rpm","libtar-devel-1.2.20-21.oe2203.aarch64.rpm","libtar-debuginfo-1.2.20-21.oe2203.aarch64.rpm","libtar-1.2.20-21.oe2203.aarch64.rpm"],"src":["libtar-1.2.20-21.oe2203.src.rpm"],"x86_64":["libtar-debugsource-1.2.20-21.oe2203.x86_64.rpm","libtar-devel-1.2.20-21.oe2203.x86_64.rpm","libtar-1.2.20-21.oe2203.x86_64.rpm","libtar-debuginfo-1.2.20-21.oe2203.x86_64.rpm","libtar-help-1.2.20-21.oe2203.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33643"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33644"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33645"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33646"}],"database_specific":{"severity":"Medium"}}