Bug 123038 - app-arch/tar: buffer overflow (CVE-2006-0300)
Bug#: 123038 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: taviso@gentoo.org
Component: Vulnerabilities
URL:  http://lists.gnu.org/archive/html/bug-tar/2005-06/msg00029.html
Summary: app-arch/tar: buffer overflow (CVE-2006-0300)
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2006-02-16 07:01 0000
Description:   Opened: 2006-02-16 07:01 0000 
This issue is not public.

------- Comment #1 From Tavis Ormandy (RETIRED) 2006-02-16 07:01:30 0000 ------- 
Created an attachment (id=79933) [details]
patch from RedHat

------- Comment #2 From Tavis Ormandy (RETIRED) 2006-02-16 07:02:09 0000 ------- 
Created an attachment (id=79934) [details]
demonstration script to reproduce issue

------- Comment #3 From Tavis Ormandy (RETIRED) 2006-02-16 07:02:47 0000 ------- 
Created an attachment (id=79935) [details]
malformed tar archive

------- Comment #4 From Tavis Ormandy (RETIRED) 2006-02-16 07:05:00 0000 ------- 
Upstream has been informed and has requested non-disclosure until a new version
can be prepared for release.

------- Comment #5 From Thierry Carrez (RETIRED) 2006-02-16 12:40:09 0000 ------- 
.

------- Comment #6 From Tavis Ormandy (RETIRED) 2006-02-22 00:34:58 0000 ------- 
This issue is public

------- Comment #7 From Tavis Ormandy (RETIRED) 2006-02-22 00:47:53 0000 ------- 
base-system: no new release from upstream yet, this issue is pretty serious,
could you patch our package?

------- Comment #8 From SpanKY 2006-02-22 16:20:07 0000 ------- 
i heard from a little birdie that the RedHat patch was not correct ...

------- Comment #9 From Thierry Carrez (RETIRED) 2006-02-26 03:39:08 0000 ------- 
Could you elaborate ? That's not what *my* little birdie told me. And this just
can't wait :)

------- Comment #10 From Thierry Carrez (RETIRED) 2006-03-06 09:44:28 0000 ------- 
vapier/base-system: please apply patch or tell us why you can't

------- Comment #11 From Tavis Ormandy (RETIRED) 2006-03-07 10:03:08 0000 ------- 
This bug is fairly critical, do you have any update vapier/base-system guys?

We really need to get a fix out asap, we're already late on this one.

------- Comment #12 From solar 2006-03-07 11:56:17 0000 ------- 
Added tar-1.15.1-r1 to the tree for CVE-2006-0300

tar-1.15.1: alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86
tar-1.15.1-r1: ~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh
~sparc ~x86

tar aborts correctly when using the demonstration script. 
I also tested a few tar.gz files and a few tar.bz2 files.

tar is a vital program to a functioning gentoo system so arch maintainers 
are encouraged to test carefully.

------- Comment #13 From Thierry Carrez (RETIRED) 2006-03-07 12:43:15 0000 ------- 
Arches please test and mark stable

------- Comment #14 From Jeroen Roovers 2006-03-07 13:12:16 0000 ------- 
Verified, revision tested and marked stable for hppa.

------- Comment #15 From Gustavo Zacarias (RETIRED) 2006-03-07 13:43:47 0000 ------- 
sparc stable.

------- Comment #16 From Tim Yamin (RETIRED) 2006-03-07 16:17:08 0000 ------- 
IA64 done.

------- Comment #17 From AJ Armstrong 2006-03-07 19:48:07 0000 ------- 
Tested app-arch/tar-1.15.1-r1 for amd64.

Builds and runs.
Apparently properly errors on demo script with: "/bin/tar: memory exhausted
/bin/tar: Error is not recoverable: exiting now"

Able to properly untar from tar.bz2 a large archive (kernel sources), retar
with gzip, untar, retar without compression and untar, with no apparent errors
(kernel builds).

Happy to do additional regression tests (this is, after all, a pretty critical
app) if someone can suggest them, otherwise I'd recommend stable on amd64.

------- Comment #18 From Mike Doty 2006-03-07 19:57:08 0000 ------- 
amd64 done

------- Comment #19 From Mark Loeser 2006-03-07 20:38:13 0000 ------- 
x86 done

------- Comment #20 From Markus Rothe 2006-03-07 23:33:58 0000 ------- 
stable on ppc64

------- Comment #21 From Matti Bickel 2006-03-08 05:01:15 0000 ------- 
Builds and runs on ppc. Regression-test as in #17: passed

Also run the demoscript, output while untaring the malformed archive:
pluto ~ # /bin/tar tf z.tar 
/bin/tar: Extended header GNU.sparse.numblocks=4294967296 is out of range
/bin/tar: Malformed extended header: excess GNU.sparse.offset=1048576
big
/bin/tar: Error exit delayed from previous errors

Recommend stable marks on ppc.

------- Comment #22 From Jose Luis Rivero (yoswink) 2006-03-08 17:40:46 0000 ------- 
alpha stable

------- Comment #23 From Thierry Carrez (RETIRED) 2006-03-09 09:41:04 0000 ------- 
ppc please mark stable, following comment #21

------- Comment #24 From Tobias Scherbaum 2006-03-09 11:57:22 0000 ------- 
ppc stable

------- Comment #25 From Thierry Carrez (RETIRED) 2006-03-10 13:00:28 0000 ------- 
GLSA 200603-06

------- Comment #26 From Joshua Kinard 2006-04-23 09:51:26 0000 ------- 
Stable on mips.