Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487420 (CVE-2013-4397) - <dev-libs/libtar-1.2.20-r2 : Two Integer Overflow Vulnerabilities (CVE-2013-4397)
Summary: <dev-libs/libtar-1.2.20-r2 : Two Integer Overflow Vulnerabilities (CVE-2013-4...
Status: RESOLVED FIXED
Alias: CVE-2013-4397
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/55188
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-09 11:49 UTC by Alexander Berntsen (RETIRED)
Modified: 2014-02-21 07:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Berntsen (RETIRED) gentoo-dev 2013-10-09 11:49:22 UTC 
http://packages.qa.debian.org/libt/libtar.html doesn't host 1.2.11-r5 any longer. It's older than their "oldstable" release.

Note: it is *older* than *debian's* *old *stable* version. Maybe a version bump is in order...
Comment 1 Sergey Popov gentoo-dev 2013-10-11 07:36:07 UTC 
Turning this into security issue:

Two vulnerabilities have been reported in libtar, which can be exploited by malicious people to potentially compromise an application using the library.

1) An integer overflow error within the "th_read()" function (lib/block.c) when processing the long name extension can be exploited to cause a heap-based buffer overflow via a specially crafted archive.

2) An integer overflow error within the "th_read()" function (lib/block.c) when processing the long link extension can be exploited to cause a heap-based buffer overflow via a specially crafted archive.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior 1.2.20.
Comment 2 Sergey Popov gentoo-dev 2013-10-11 11:07:49 UTC 
+  11 Oct 2013; Sergey Popov <pinkbyte@gentoo.org> +libtar-1.2.20.ebuild:
+  Version bump, wrt bug #487420

Raising to B2, cause vulnerabilities are arbitrary code execution

Arches, please test and mark stable =dev-libs/libtar-1.2.20

Target keywords: amd64 ppc ppc64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-12 16:09:49 UTC 
amd64 stable
Comment 4 Sergey Popov gentoo-dev 2013-10-16 09:36:12 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-22 08:58:41 UTC 
ppc stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:07:15 UTC 
CVE-2013-4397 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4397):
  Multiple integer overflows in the th_read function in lib/block.c in libtar
  before 1.2.20 allow remote attackers to cause a denial of service (crash)
  and possibly execute arbitrary code via a long (1) name or (2) link in an
  archive, which triggers a heap-based buffer overflow.
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-24 09:23:00 UTC 
ppc64 stable
Comment 8 Sergey Popov gentoo-dev 2013-10-28 17:33:45 UTC 
Thanks, everyone

GLSA request filed
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 07:48:24 UTC 
This issue was resolved and addressed in
 GLSA 201402-19 at http://security.gentoo.org/glsa/glsa-201402-19.xml
by GLSA coordinator Sergey Popov (pinkbyte).