Bug 1662346 (CVE-2018-20482)

Summary: CVE-2018-20482 tar: Infinite read loop in sparse_dump_region function in sparse.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, databases-maint, dbaker, hhorak, jokerman, pkubat, praiskup, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-20 21:18:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1662347, 1663454    
Bug Blocks: 1662348    

Description Pedro Sampaio 2018-12-27 21:33:33 UTC 
GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

References:

https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug

Upstream patch:

http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42c
Comment 1 Pedro Sampaio 2018-12-27 21:36:27 UTC 
Created tar tracking bugs for this issue:

Affects: fedora-all [bug 1662347]
Comment 2 Riccardo Schirone 2019-01-04 10:29:26 UTC 
See https://www.mail-archive.com/bug-tar@gnu.org/msg04432.html
Comment 3 Riccardo Schirone 2019-01-04 10:44:21 UTC 
A different patch from the one mentioned in comment 0 has been applied to Fedora 29.

The patch was proposed in https://www.mail-archive.com/bug-tar@gnu.org/msg04443.html .
Comment 5 Riccardo Schirone 2019-01-04 10:51:21 UTC 
Many functions in sparse.c (e.g. sparse_dump_region(), check_sparse_region(), check_data_region()) do not correctly check the return value of the safe_read() function, used to read the file. When safe_read() returns 0 because of a file shrinkage, those functions never terminate (unless the file is enlarged again)
Comment 7 Product Security DevOps Team 2020-05-20 21:18:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20482