tar: Update fix for CVE-2022-48303 to upstream version - linux/poky.git

diff options

author	Joe Slater <joe.slater@windriver.com>	2023-02-17 15:01:22 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-02-19 07:47:53 +0000
commit	add828fa4feafba18930b53ff2deca62d7a02ffd (patch)
tree	8b3f9371a09a634649909a12c54eb1d9c856df8e /meta/lib/oe/qa.py
parent	432941810577903ef0116a1f5c6d7e41f5077ed8 (diff)
download	poky-add828fa4feafba18930b53ff2deca62d7a02ffd.tar.gz

tar: Update fix for CVE-2022-48303 to upstream version

Fixes CVE-2022-48303 by checking Base-256 encoding is at least 2 bytes long. GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-48303 Upstream patch: https://savannah.gnu.org/bugs/?62387 https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 (From OE-Core rev: 0043c9d3f7b65a0cbb0a27c37b4825b8f5511dec) Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Diffstat (limited to 'meta/lib/oe/qa.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: