CVE-2018-20482

CWE-83510 documents8 sources

Severity

4.7MEDIUM

EPSS

0.0%

top 94.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU TAR Debian Debian Linux Opensuse Leap

Timeline

PublishedDec 26

Latest updateMay 13

Description

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.0 | Impact: 3.6

Affected Packages4 packages

▶Debiantar< 1.30+dfsg-3.1+3

▶Ubuntutar< 1.28-2.1ubuntu0.2+3

▶NVDgnu/tar1.30

▶NVDopensuse/leap15.0

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: git.savannah.gnu.org ↗Patch: twitter.com ↗Patch: utcc.utoronto.ca ↗

🔴Vulnerability Details

GHSA

GHSA-pm5x-48pq-67cq: GNU Tar through 1↗2022-05-13

▶

OSV

tar vulnerabilities↗2021-01-13

▶

CVEList

CVE-2018-20482: GNU Tar through 1↗2018-12-26

▶

OSV

CVE-2018-20482: GNU Tar through 1↗2018-12-26

▶

📋Vendor Advisories

Ubuntu

tar vulnerabilities↗2021-01-13

▶

Red Hat

tar: Infinite read loop in sparse_dump_region function in sparse.c↗2018-12-26

▶

Debian

CVE-2018-20482: tar - GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during re...↗2018

▶

💬Community

Bugzilla

CVE-2018-20482 tar: Infinite read loop in sparse_dump_region function in sparse.c [fedora-all]↗2018-12-27

▶

Bugzilla

CVE-2018-20482 tar: Infinite read loop in sparse_dump_region function in sparse.c↗2018-12-27

▶