Bug 1917565 (CVE-2021-20193)

Summary: CVE-2021-20193 tar: Memory leak in read_header() in list.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andres, databases-maint, kaycoth, kdudka, ovasik, panovotn, pkubat, praiskup
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the src/list.c of tar. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 18:25:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1917631, 1917633, 1917634, 1917742    
Bug Blocks: 1917567, 1939998    
Attachments:
Description Flags
PoC - Test case for memory leak/crash none

Description Pedro Sampaio 2021-01-18 18:35:40 UTC 
An issue was discovered in GNU Tar 1.33 and earlier. There is a memory leak in read_header() in list.c in the tar application.

Upstream bug:

https://savannah.gnu.org/bugs/?59897

Upstream patch:

https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
Comment 1 Carlos Andres Ramirez 2021-01-19 01:20:05 UTC 
Created attachment 1748610 [details]
PoC - Test case for memory leak/crash

This is the .tar test case from my original report. Can be used with Valgrind to confirm the memory leak before the crash.
Comment 3 Todd Cullum 2021-01-19 01:34:37 UTC 
Flaw summary:

Memory pointed to by `next_long_name` and `next_long_link` was not being freed upon return of the `read_header()` routine in src/list.c. An attacker who provided a specially crafted input file to tar could cause an impact to application availability. The patch changes `read_header()` to not return before freeing memory pointed to by `next_long_name` and `next_long_link`.
Comment 4 Todd Cullum 2021-01-19 01:35:44 UTC 
Created tar tracking bugs for this issue:

Affects: fedora-all [bug 1917631]