Libtar <= 1.2.19 Integer overflow

Posted on 10 October 2013

Forwarding information from the linux-distros list to oss-sec, since
the issue is public now

Details:

An integer overflow vulnerability was identified in libtar 1.2.19 (and
olders) that can possibly be exploited for arbitrary code execution when
extracting a specially crafted tar file.

A coordinated release date (CRD) of October 9th has been agreed with
Chris Frey (libtar developer).

This issue is assigned CVE-2013-4397.
This issue is fixed in libtar-1.2.20

Reference:

Upstream patch:
http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04

Announcement: This is an announcement about the release on
libtar list, but strangely i cant access the list archives.
(i am subscribed to the mailing list though)

Red Hat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1014492

TOP

Malware :

Backdoor:Win32/Heloag.A
Exploit:Win32/CVE-2011-3402
Trojan:Win32/Obfac
Exploit:Win32/Pdfjsc.YP
TrojanDownloader:Win32/Bofang.B

Last 20

Exploits :

Customer Support System 1.0 Cross Site Scripting
Xhibiter NFT Marketplace 1.10.2 SQL Injection
WordPress WPCode Lite 2.1.14 Cross Site Scripting
Azon Dominator Affiliate Marketing Script SQL Injection
Simple Laboratory Management System 1.0 SQL Injection

Last 20

Libtar &lt;= 1.2.19 Integer overflow

Malware :

Exploits :

Libtar <= 1.2.19 Integer overflow