CVE-2021-33644Out-of-bounds Read in Libtar

CWE-125Out-of-bounds Read8 documents7 sources
Severity
8.1HIGHNVD
OSV9.1
EPSS
0.2%
top 52.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Feep LibtarDebian LibtarFedoraproject Fedora+10 more
Timeline
PublishedAug 10
Latest updateMar 31

Description

An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages15 packages

NVDfeep/libtar< 1.2.21
debiandebian/libtar< libtar 1.2.20-8+deb12u1 (bookworm)
Debianfeep/libtar< 1.2.20-8+deb12u1~deb11u1+1
Ubuntufeep/libtar< 1.2.20-8ubuntu0.20.04.1+4
CVEListV5feep/libtar<1.2.21

Also affects: Fedora 35, 36, 37

🔴Vulnerability Details

3
OSV
libtar vulnerabilities2025-03-31
GHSA
GHSA-f326-p7mm-52h2: An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longna2022-08-11
OSV
CVE-2021-33644: An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longna2022-08-10

📋Vendor Advisories

4
Ubuntu
libtar vulnerabilities2025-03-31
Red Hat
libtar: out-of-bounds read in gnu_longname2022-08-10
Microsoft
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname causing an out-of-bounds read.2022-08-09
Debian
CVE-2021-33644: libtar - An attacker who submits a crafted tar file with size in header struct being 0 ma...2021
CVE-2021-33644 — Out-of-bounds Read in Feep Libtar | cvebase