CVE-2022-48303

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.
Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:tar:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

History

21 Nov 2024, 07:33

Type Values Removed Values Added
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/ - Mailing List, Third Party Advisory () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/ - Mailing List, Third Party Advisory () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/ - Mailing List, Third Party Advisory
References () https://savannah.gnu.org/bugs/?62387 - Exploit, Vendor Advisory () https://savannah.gnu.org/bugs/?62387 - Exploit, Vendor Advisory
References () https://savannah.gnu.org/patch/?10307 - Patch, Vendor Advisory () https://savannah.gnu.org/patch/?10307 - Patch, Vendor Advisory
Summary
  • (es) GNU Tar hasta 1.34 tiene una lectura fuera de los límites de un byte que resulta en el uso de memoria no inicializada para un salto condicional. No se ha demostrado explotación para cambiar el flujo de control. El problema ocurre en from_header en list.c a través de un archivo V7 en el que mtime tiene aproximadamente 11 caracteres de espacio en blanco.

30 May 2023, 17:16

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 7.8
v2 : unknown
v3 : 5.5
First Time Fedoraproject fedora
Fedoraproject
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/ - Mailing List, Third Party Advisory
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/ - Mailing List, Third Party Advisory

Information

Published : 2023-01-30 04:15

Updated : 2024-11-21 07:33


NVD link : CVE-2022-48303

Mitre link : CVE-2022-48303

CVE.ORG link : CVE-2022-48303


JSON object : View

Products Affected

gnu

  • tar

fedoraproject

  • fedora
CWE
CWE-125

Out-of-bounds Read