An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read. https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807
Created libtar tracking bugs for this issue: Affects: fedora-all [bug 2121300]
The security fixes in question seem to be available in this source RPM package: https://repo.openeuler.org/openEuler-22.03-LTS/update/source/Packages/libtar-1.2.20-21.oe2203.src.rpm
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2898 https://access.redhat.com/errata/RHSA-2023:2898
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33644