[Buildroot] [PATCH 3/4] package/tar: add upstream patch for CVE-2022-48303
Peter Korsgaard
peter at korsgaard.com
Tue Nov 14 07:57:29 UTC 2023
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds read
> that results in use of uninitialized memory for a conditional jump.
> Exploitation to change the flow of control has not been demonstrated. The
> issue occurs in from_header in list.c via a V7 archive in which mtime has
> approximately 11 whitespace characters.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2023.02.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list