GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root). References: https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug Upstream patch: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42c
Created tar tracking bugs for this issue: Affects: fedora-all [bug 1662347]
See https://www.mail-archive.com/bug-tar@gnu.org/msg04432.html
A different patch from the one mentioned in comment 0 has been applied to Fedora 29. The patch was proposed in https://www.mail-archive.com/bug-tar@gnu.org/msg04443.html .
Many functions in sparse.c (e.g. sparse_dump_region(), check_sparse_region(), check_data_region()) do not correctly check the return value of the safe_read() function, used to read the file. When safe_read() returns 0 because of a file shrinkage, those functions never terminate (unless the file is enlarged again)
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20482