CVE-2022-48303

Name
CVE-2022-48303
Description
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://savannah.gnu.org/bugs/?62387
MISC https://savannah.gnu.org/patch/?10307
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnu:tar:*:*:*:*:*:*:*:* tar >= None <= 1.34

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
tar 3.17-main 1.34-r2 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
tar 3.16-main 1.34-r1 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
tar 3.15-main 1.34-r1 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
tar 3.14-main 1.34-r1 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
tar 3.18-main 1.34-r3 Carlo Landmeter <clandmeter@alpinelinux.org> fixed