Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1623-1 tar

Debian Security Advisory

DLA-1623-1 tar -- LTS security update

Date Reported:

31 Dec 2018

Affected Packages:

tar

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-20482.

More information:

It was discovered that there was a potential denial of service vulnerability in tar, the GNU version of the tar UNIX archiving utility.

The --sparse argument looped endlessly if the file shrank whilst it was being read. Tar would only break out of this endless loop if the file grew again to (or beyond) its original end of file.

For Debian 8 Jessie, this issue has been fixed in tar version 1.27.1-2+deb8u2.

We recommend that you upgrade your tar packages.