Out-of-Bounds Read Vulnerability in GNU Tar by GNU
CVE-2022-48303

5.5MEDIUM

Key Information:

Vendor: Gnu
Status: Tar
Vendor: CVE Published:; 30 January 2023

Summary

GNU Tar versions up to 1.34 contain an out-of-bounds read vulnerability that can lead to the use of uninitialized memory. This flaw manifests in the 'from_header' function within the list.c file when processing a V7 archive that includes an mtime with approximately 11 whitespace characters. While exploiting this issue to manipulate control flow has not been demonstrated, it raises concerns about the security of applications relying on GNU Tar for archiving and data manipulation.

References

https://savannah.gnu.org/bugs/?62387

https://savannah.gnu.org/patch/?10307

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 30, 2023
Vulnerability Reserved
Jan 30, 2023