[SECURITY] [DLA 1623-1] tar security update

2018-12-3109:51:16

lists.debian.org

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:N/A:P

CVSS3

4.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

5.1

Confidence

High

EPSS

Percentile

5.1%

JSON

Package : tar
Version : 1.27.1-2+deb8u2
CVE ID : CVE-2018-20482
Debian Bug : #917377

It was discovered that there was a potential denial of service
vulnerability in tar, the GNU version of the tar UNIX archiving
utility.

The --sparse argument looped endlessly if the file shrank whilst
it was being read. Tar would only break out of this endless loop
if the file grew again to (or beyond) its original end of file.

For Debian 8 "Jessie", this issue has been fixed in tar version
1.27.1-2+deb8u2.

We recommend that you upgrade your tar packages.

Regards,

  ,&#x27;&#x27;`.
 : :&#x27;  :     Chris Lamb
 `. `&#x27;`      [email protected] / chris-lamb.co.uk
   `-

OSVersionArchitecturePackageVersionFilename
Debian8alltar< 1.27.1-2+deb8u2tar_1.27.1-2+deb8u2_all.deb
Debian9arm64tar< 1.29b-1.1+deb9u1tar_1.29b-1.1+deb9u1_arm64.deb
Debian9amd64tar< 1.29b-1.1+deb9u1tar_1.29b-1.1+deb9u1_amd64.deb
Debian8armeltar< 1.27.1-2+deb8u2tar_1.27.1-2+deb8u2_armel.deb
Debian9armeltar< 1.29b-1.1+deb9u1tar_1.29b-1.1+deb9u1_armel.deb
Debian9armeltar-scripts< 1.29b-1.1+deb9u1tar-scripts_1.29b-1.1+deb9u1_armel.deb
Debian8armhftar< 1.27.1-2+deb8u2tar_1.27.1-2+deb8u2_armhf.deb
Debian9armhftar< 1.29b-1.1+deb9u1tar_1.29b-1.1+deb9u1_armhf.deb
Debian9arm64tar-scripts< 1.29b-1.1+deb9u1tar-scripts_1.29b-1.1+deb9u1_arm64.deb
Debian8amd64tar-scripts< 1.27.1-2+deb8u2tar-scripts_1.27.1-2+deb8u2_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	tar	< 1.27.1-2+deb8u2	tar_1.27.1-2+deb8u2_all.deb
Debian	9	arm64	tar	< 1.29b-1.1+deb9u1	tar_1.29b-1.1+deb9u1_arm64.deb
Debian	9	amd64	tar	< 1.29b-1.1+deb9u1	tar_1.29b-1.1+deb9u1_amd64.deb
Debian	8	armel	tar	< 1.27.1-2+deb8u2	tar_1.27.1-2+deb8u2_armel.deb
Debian	9	armel	tar	< 1.29b-1.1+deb9u1	tar_1.29b-1.1+deb9u1_armel.deb
Debian	9	armel	tar-scripts	< 1.29b-1.1+deb9u1	tar-scripts_1.29b-1.1+deb9u1_armel.deb
Debian	8	armhf	tar	< 1.27.1-2+deb8u2	tar_1.27.1-2+deb8u2_armhf.deb
Debian	9	armhf	tar	< 1.29b-1.1+deb9u1	tar_1.29b-1.1+deb9u1_armhf.deb
Debian	9	arm64	tar-scripts	< 1.29b-1.1+deb9u1	tar-scripts_1.29b-1.1+deb9u1_arm64.deb
Debian	8	amd64	tar-scripts	< 1.27.1-2+deb8u2	tar-scripts_1.27.1-2+deb8u2_amd64.deb