Source: tar Version: 1.30+dfsg-3 Severity: important Tags: security upstream
Hi, The following vulnerability was published for tar. CVE-2018-20482[0]: | GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage | during read access, which allows local users to cause a denial of | service (infinite read loop in sparse_dump_region in sparse.c) by | modifying a file that is supposed to be archived by a different user's | process (e.g., a system backup running as root). The issue has not yet been reported upstream according to the reporters blog entry due to time limitations, cf. [1], [2] and [3]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482 [1] https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug [2] https://twitter.com/thatcks/status/1076166645708668928 [3] https://news.ycombinator.com/item?id=18745431 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
