SuSE Local Security Checks : SUSE: Security Advisory (SUSE-SU-2022:1548-1)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.4.2022.1548.1

Category: SuSE Local Security Checks

Title: SUSE: Security Advisory (SUSE-SU-2022:1548-1)

Summary: The remote host is missing an update for the 'tar' package(s) announced via the SUSE-SU-2022:1548-1 advisory.

Description: Summary:
The remote host is missing an update for the 'tar' package(s) announced via the SUSE-SU-2022:1548-1 advisory.

Vulnerability Insight:
This update for tar fixes the following issues:

CVE-2021-20193: Fixed a memory leak in read_header() in list.c
(bsc#1181131).

CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in
sparse.c (bsc#1130496).

CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in
sparse.c (bsc#1120610).

Update to GNU tar 1.34:
* Fix extraction over pipe
* Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
* Fix extraction when . and .. are unreadable
* Gracefully handle duplicate symlinks when extracting
* Re-initialize supplementary groups when switching to user privileges

Update to GNU tar 1.33:
* POSIX extended format headers do not include PID by default
* --delay-directory-restore works for archives with reversed member
ordering
* Fix extraction of a symbolic link hardlinked to another symbolic link
* Wildcards in exclude-vcs-ignore mode don't match slash
* Fix the --no-overwrite-dir option
* Fix handling of chained renames in incremental backups
* Link counting works for file names supplied with -T
* Accept only position-sensitive (file-selection) options in file list
files

prepare usrmerge (bsc#1029961)

Update to GNU 1.32
* Fix the use of --checkpoint without explicit --checkpoint-action
* Fix extraction with the -U option
* Fix iconv usage on BSD-based systems
* Fix possible NULL dereference (savannah bug #55369) [bsc#1130496]
[CVE-2019-9923]
* Improve the testsuite

Update to GNU 1.31
* Fix heap-buffer-overrun with --one-top-level, bug introduced with the
addition of that option in 1.28
* Support for zstd compression
* New option '--zstd' instructs tar to use zstd as compression program.
When listing, extractng and comparing, zstd compressed archives are
recognized automatically. When '-a' option is in effect, zstd
compression is selected if the destination archive name ends in '.zst'
or '.tzst'.
* The -K option interacts properly with member names given in the
command line. Names of members to extract can be specified along with
the '-K NAME' option. In this case, tar will extract NAME and those of
named members that appear in the archive after it, which is consistent
with the semantics of the option. Previous versions of tar extracted
NAME, those of named members that appeared before it, and everything
after it.
* Fix CVE-2018-20482 - When creating archives with the --sparse
option, previous versions of tar would loop endlessly if a sparse file
had been truncated while being archived.

Affected Software/OS:
'tar' package(s) on SUSE Linux Enterprise Micro 5.0, SUSE Linux Enterprise Micro 5.1, SUSE Linux Enterprise Micro 5.2, SUSE Linux Enterprise Module for Basesystem 15-SP3, SUSE Linux Enterprise Realtime Extension 15-SP2.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2018-20482
BugTraq ID: 106354
http://www.securityfocus.com/bid/106354
https://security.gentoo.org/glsa/201903-05
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454
http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html
https://news.ycombinator.com/item?id=18745431
https://twitter.com/thatcks/status/1076166645708668928
https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug
https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html
https://lists.debian.org/debian-lts-announce/2021/11/msg00025.html
SuSE Security Announcement: openSUSE-SU-2019:1237 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-9923
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
http://savannah.gnu.org/bugs/?55369
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
Common Vulnerability Exposure (CVE) ID: CVE-2021-20193
GLSA-202105-29
https://security.gentoo.org/glsa/202105-29
https://bugzilla.redhat.com/show_bug.cgi?id=1917565
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
https://savannah.gnu.org/bugs/?59897

Copyright Copyright (C) 2022 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.4.2022.1548.1
Category:	SuSE Local Security Checks
Title:	SUSE: Security Advisory (SUSE-SU-2022:1548-1)
Summary:	The remote host is missing an update for the 'tar' package(s) announced via the SUSE-SU-2022:1548-1 advisory.
Description:	Summary: The remote host is missing an update for the 'tar' package(s) announced via the SUSE-SU-2022:1548-1 advisory. Vulnerability Insight: This update for tar fixes the following issues: CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131). CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496). CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610). Update to GNU tar 1.34: * Fix extraction over pipe * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131) * Fix extraction when . and .. are unreadable * Gracefully handle duplicate symlinks when extracting * Re-initialize supplementary groups when switching to user privileges Update to GNU tar 1.33: * POSIX extended format headers do not include PID by default * --delay-directory-restore works for archives with reversed member ordering * Fix extraction of a symbolic link hardlinked to another symbolic link * Wildcards in exclude-vcs-ignore mode don't match slash * Fix the --no-overwrite-dir option * Fix handling of chained renames in incremental backups * Link counting works for file names supplied with -T * Accept only position-sensitive (file-selection) options in file list files prepare usrmerge (bsc#1029961) Update to GNU 1.32 * Fix the use of --checkpoint without explicit --checkpoint-action * Fix extraction with the -U option * Fix iconv usage on BSD-based systems * Fix possible NULL dereference (savannah bug #55369) [bsc#1130496] [CVE-2019-9923] * Improve the testsuite Update to GNU 1.31 * Fix heap-buffer-overrun with --one-top-level, bug introduced with the addition of that option in 1.28 * Support for zstd compression * New option '--zstd' instructs tar to use zstd as compression program. When listing, extractng and comparing, zstd compressed archives are recognized automatically. When '-a' option is in effect, zstd compression is selected if the destination archive name ends in '.zst' or '.tzst'. * The -K option interacts properly with member names given in the command line. Names of members to extract can be specified along with the '-K NAME' option. In this case, tar will extract NAME and those of named members that appear in the archive after it, which is consistent with the semantics of the option. Previous versions of tar extracted NAME, those of named members that appeared before it, and everything after it. * Fix CVE-2018-20482 - When creating archives with the --sparse option, previous versions of tar would loop endlessly if a sparse file had been truncated while being archived. Affected Software/OS: 'tar' package(s) on SUSE Linux Enterprise Micro 5.0, SUSE Linux Enterprise Micro 5.1, SUSE Linux Enterprise Micro 5.2, SUSE Linux Enterprise Module for Basesystem 15-SP3, SUSE Linux Enterprise Realtime Extension 15-SP2. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2018-20482 BugTraq ID: 106354 http://www.securityfocus.com/bid/106354 https://security.gentoo.org/glsa/201903-05 http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454 http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html https://news.ycombinator.com/item?id=18745431 https://twitter.com/thatcks/status/1076166645708668928 https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html https://lists.debian.org/debian-lts-announce/2021/11/msg00025.html SuSE Security Announcement: openSUSE-SU-2019:1237 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html Common Vulnerability Exposure (CVE) ID: CVE-2019-9923 http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120 http://savannah.gnu.org/bugs/?55369 https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241 https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E Common Vulnerability Exposure (CVE) ID: CVE-2021-20193 GLSA-202105-29 https://security.gentoo.org/glsa/202105-29 https://bugzilla.redhat.com/show_bug.cgi?id=1917565 https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777 https://savannah.gnu.org/bugs/?59897
Copyright	Copyright (C) 2022 Greenbone AG