Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 123038

Summary: app-arch/tar: buffer overflow (CVE-2006-0300)
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: jer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.gnu.org/archive/html/bug-tar/2005-06/msg00029.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch from RedHat
none
demonstration script to reproduce issue
none
malformed tar archive none

Description Tavis Ormandy (RETIRED) gentoo-dev 2006-02-16 07:01:08 UTC
This issue is not public.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-16 07:01:30 UTC
Created attachment 79933 [details, diff]
patch from RedHat
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-16 07:02:09 UTC
Created attachment 79934 [details]
demonstration script to reproduce issue
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-16 07:02:47 UTC
Created attachment 79935 [details]
malformed tar archive
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-16 07:05:00 UTC
Upstream has been informed and has requested non-disclosure until a new version can be prepared for release.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-02-16 12:40:09 UTC
.
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-22 00:34:58 UTC
This issue is public
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-22 00:47:53 UTC
base-system: no new release from upstream yet, this issue is pretty serious, could you patch our package?
Comment 8 SpanKY gentoo-dev 2006-02-22 16:20:07 UTC
i heard from a little birdie that the RedHat patch was not correct ...
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-02-26 03:39:08 UTC
Could you elaborate ? That's not what *my* little birdie told me. And this just can't wait :)
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2006-03-06 09:44:28 UTC
vapier/base-system: please apply patch or tell us why you can't
Comment 11 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-07 10:03:08 UTC
This bug is fairly critical, do you have any update vapier/base-system guys?

We really need to get a fix out asap, we're already late on this one.
Comment 12 solar (RETIRED) gentoo-dev 2006-03-07 11:56:17 UTC
Added tar-1.15.1-r1 to the tree for CVE-2006-0300

tar-1.15.1: alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86
tar-1.15.1-r1: ~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86

tar aborts correctly when using the demonstration script. 
I also tested a few tar.gz files and a few tar.bz2 files.

tar is a vital program to a functioning gentoo system so arch maintainers 
are encouraged to test carefully.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-03-07 12:43:15 UTC
Arches please test and mark stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2006-03-07 13:12:16 UTC
Verified, revision tested and marked stable for hppa.
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-07 13:43:47 UTC
sparc stable.
Comment 16 Tim Yamin (RETIRED) gentoo-dev 2006-03-07 16:17:08 UTC
IA64 done.
Comment 17 AJ Armstrong 2006-03-07 19:48:07 UTC
Tested app-arch/tar-1.15.1-r1 for amd64.

Builds and runs.
Apparently properly errors on demo script with: "/bin/tar: memory exhausted
/bin/tar: Error is not recoverable: exiting now"

Able to properly untar from tar.bz2 a large archive (kernel sources), retar with gzip, untar, retar without compression and untar, with no apparent errors (kernel builds).

Happy to do additional regression tests (this is, after all, a pretty critical app) if someone can suggest them, otherwise I'd recommend stable on amd64.
Comment 18 Mike Doty (RETIRED) gentoo-dev 2006-03-07 19:57:08 UTC
amd64 done
Comment 19 Mark Loeser (RETIRED) gentoo-dev 2006-03-07 20:38:13 UTC
x86 done
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2006-03-07 23:33:58 UTC
stable on ppc64
Comment 21 Matti Bickel (RETIRED) gentoo-dev 2006-03-08 05:01:15 UTC
Builds and runs on ppc. Regression-test as in #17: passed

Also run the demoscript, output while untaring the malformed archive:
pluto ~ # /bin/tar tf z.tar 
/bin/tar: Extended header GNU.sparse.numblocks=4294967296 is out of range
/bin/tar: Malformed extended header: excess GNU.sparse.offset=1048576
big
/bin/tar: Error exit delayed from previous errors

Recommend stable marks on ppc.
Comment 22 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-03-08 17:40:46 UTC
alpha stable
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2006-03-09 09:41:04 UTC
ppc please mark stable, following comment #21
Comment 24 Tobias Scherbaum (RETIRED) gentoo-dev 2006-03-09 11:57:22 UTC
ppc stable
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2006-03-10 13:00:28 UTC
GLSA 200603-06
Comment 26 Joshua Kinard gentoo-dev 2006-04-23 09:51:26 UTC
Stable on mips.