|
|
Subscribe / Log in / New account

Debian alert DLA-4033-1 (libtar)



From:
              Adrian Bunk <bunk@debian.org>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4033-1] libtar security update


Date:
              Tue, 28 Jan 2025 22:36:03 +0200


Message-ID:
              <Z5k/s/jzk4Let4F9@localhost>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4033-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
January 28, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libtar
Version        : 1.2.20-8+deb12u1~deb11u1
CVE ID         : CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646

Multiple vulnerabilities have been fixed in libtar,
a library for manipulating tar archives.

CVE-2021-33643

    out-of-bounds read in gnu_longlink()

CVE-2021-33644

    out-of-bounds read in gnu_longname()

CVE-2021-33645

    memory leak in th_read()

CVE-2021-33646

    memory leak in th_read()

For Debian 11 bullseye, these problems have been fixed in version
1.2.20-8+deb12u1~deb11u1.

We recommend that you upgrade your libtar packages.

For the detailed security status of libtar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libtar

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmeZP64ACgkQiNJCh6LY
mLFfjg//UHLxsz1aTKLeMWjjvWtmkdOgTv7tVaZxe4H4JnhrFbwxjgLOMU5tna/0
oPlPduFpwl7mtr3V2h9QAYfwLaD3WsrYQphn+MSQSCTx+yDoWqzz0Fm5dor74O+9
ZpPxLCmJ12Ucf8sVYxq/I/TwqcSHBDSg7+cItVkJJLCTQViezozJbiBNYTPDy0Bz
THhzkxSLsKkiRtY/fJUvNM869PGqu0KLpjN+tctLHFAE0aT58bNF4fwCIveFqI1H
pccohmOJbIg9ngjQpEux+iKetUxi55+yu60fKgUS4cJ6dSEq9t4LyTnz7lCb4Eqp
O+yi2nh/0ayFnNlO8jUWdoDEv2TarCpIOGRHDcDeII+v56A9I9mFCowM/8nWFndK
OlyIY9xdOCEoM7NHNTt68IYC1Aeohzja0nhv5DHyM9ZwVpJfB3wZGNN0MZxCjK4I
7IhOEWLBGfxQXAfN9Hi/DHdPjQLjogWoDfg+rtCpDmWj3xppLLQiPOBHWOu9mZjx
4T2poSiI9x2zB+8B82JCTfYEZUm8xKnNmTEWsDUV7fbkZBqKZYSltZDrFEImnYgC
nzlSBaiuZThjZtynTRmXJ5JyhaQ9G+p7lqC71uzOwcuAdVqk9605CMlWOEe4BQJ/
XRXNbDYL3T9MuuLuwJdu+p2bL39aEik3J5YoG5AyOtunEPHw9YQ=
=kepC
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds