GNU Tar跨界内存读

admin

0
文章

0
评论

2023-11-30 03:48:52 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

低危 GNU Tar跨界内存读

CVE编号

CVE-2022-48303

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-01-30

漏洞描述

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://savannah.gnu.org/bugs/?62387
https://savannah.gnu.org/patch/?10307

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	gnu	tar	*		Up to (including) 1.34
	运行在以下环境
	系统	alpine_3.14	tar	*		Up to (excluding) 1.34-r1
	运行在以下环境
	系统	alpine_3.15	tar	*		Up to (excluding) 1.34-r1
	运行在以下环境
	系统	alpine_3.16	tar	*		Up to (excluding) 1.34-r1
	运行在以下环境
	系统	alpine_3.17	tar	*		Up to (excluding) 1.34-r2
	运行在以下环境
	系统	alpine_3.18	tar	*		Up to (excluding) 1.34-r2
	运行在以下环境
	系统	alpine_edge	tar	*		Up to (excluding) 1.34-r2
	运行在以下环境
	系统	amazon_2	tar	*		Up to (excluding) 1.26-35.amzn2.0.1
	运行在以下环境
	系统	amazon_2023	tar	*		Up to (excluding) 1.34-1.amzn2023.0.3
	运行在以下环境
	系统	amazon_AMI	tar	*		Up to (excluding) 1.26-31.23.amzn1
	运行在以下环境
	系统	anolis_os_8	tar	*		Up to (excluding) 1.30-6.0.1
	运行在以下环境
	系统	centos_8	tar-debuginfo	*		Up to (excluding) 1.30-6.el8_7.1
	运行在以下环境
	系统	debian_10	tar	*		Up to (including) 1.30+dfsg-6
	运行在以下环境
	系统	debian_11	tar	*		Up to (including) 1.34+dfsg-1
	运行在以下环境
	系统	debian_12	tar	*		Up to (including) 1.34+dfsg-1.2
	运行在以下环境
	系统	debian_sid	tar	*		Up to (including) 1.34+dfsg-1.2
	运行在以下环境
	系统	fedora_37	tar-debuginfo	*		Up to (excluding) 1.34-6.fc37
	运行在以下环境
	系统	fedora_38	tar-debuginfo	*		Up to (excluding) 1.34-8.fc38
	运行在以下环境
	系统	kylinos_aarch64_V10	tar	*		Up to (excluding) 1.32-3.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	tar	*		Up to (excluding) 1.32-3.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	tar	*		Up to (excluding) 1.32-3.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP3	tar	*		Up to (excluding) 1.32-3.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	tar	*		Up to (excluding) 1.32-3.a.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP3	tar	*		Up to (excluding) 1.32-3.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	tar	*		Up to (excluding) 1.32-3.ky10
	运行在以下环境
	系统	opensuse_5.2	tar	*		Up to (excluding) 1.34-150000.3.31.1
	运行在以下环境
	系统	opensuse_5.3	tar	*		Up to (excluding) 1.34-150000.3.31.1
	运行在以下环境
	系统	opensuse_Leap_15.4	tar-doc	*		Up to (excluding) 1.34-150000.3.31.1
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 1.30-6.el8_7.1
	运行在以下环境
	系统	oracle_9	oraclelinux-release	*		Up to (excluding) 1.34-6.el9_1
	运行在以下环境
	系统	redhat_8	tar-debuginfo	*		Up to (excluding) 1.30-6.el8_7.1
	运行在以下环境
系统	redhat_9	tar-debugsource	*		Up to (excluding) 1.34-6.el9_1
运行在以下环境
系统	suse_12_SP5	tar	*		Up to (excluding) 1.27.1-15.18.1
运行在以下环境
系统	ubuntu_18.04	tar	*		Up to (excluding) 1.29b-2ubuntu0.4
运行在以下环境
系统	ubuntu_20.04	tar	*		Up to (excluding) 1.30+dfsg-7ubuntu0.20.04.3
运行在以下环境
系统	ubuntu_22.04	tar	*		Up to (excluding) 1.34+dfsg-1ubuntu0.1.22.04.1
运行在以下环境
系统	ubuntu_22.10	tar	*		Up to (excluding) 1.34+dfsg-1ubuntu0.1.22.10.1
运行在以下环境
系统	unionos_a	tar	*		Up to (excluding) tar-1.32-3.uelc20.02
运行在以下环境
系统	unionos_e	tar	*		Up to (excluding) tar-1.32-3.uel20.02