Bug 2121295 (CVE-2021-33645)
Summary: | CVE-2021-33645 libtar: memory leak found in th_read() function | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | huzaifas, kdudka, kvolny, praiskup, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in libtar. This security vulnerability occurs because the th_read() function in libtar doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-16 14:51:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2121296, 2121327 | ||
Bug Blocks: | 2117835 |
Description
Sandipan Roy
2022-08-25 05:13:33 UTC
Created libtar tracking bugs for this issue: Affects: fedora-all [bug 2121296] The security fixes in question seem to be available in this source RPM package: https://repo.openeuler.org/openEuler-22.03-LTS/update/source/Packages/libtar-1.2.20-21.oe2203.src.rpm (In reply to Sandipan Roy from comment #0) > https://www.openeuler.org/en/security/safety-bulletin/detail. > html?id=openEuler-SA-2022-1807 this returns 404 not found do we have a reproducer for the issue? In reply to comment #8: > (In reply to Sandipan Roy from comment #0) > > https://www.openeuler.org/en/security/safety-bulletin/detail. > > html?id=openEuler-SA-2022-1807 > > this returns 404 not found > > do we have a reproducer for the issue? I'm also seeing 404 now, I don't have any reproducer or test cases. I got the correct link, https://repo.openeuler.org/security/data/cvrf/2022/cvrf-openEuler-SA-2022-1807.xml (In reply to Sandipan Roy from comment #10) > I got the correct link, > https://repo.openeuler.org/security/data/cvrf/2022/cvrf-openEuler-SA-2022- > 1807.xml thanks, but it doesn't seem to add anything valuable ... This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2898 https://access.redhat.com/errata/RHSA-2023:2898 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33645 |