Msrc Azl3 Libtar 1.2.20-11 On Azure Linux 3.0 vulnerabilities

CVE-2021-33640 [MEDIUM] CWE-416 After tar_close() libtar.c releases the memory pointed to by pointer t. After tar_close() is called in the list() function it continues to use pointer t: free_longlink_longname(t->th_buf) . As a resul After tar_close() libtar.c releases the memory pointed to by pointer t. After tar_close() is called in the list() function it continues to use pointer t: free_longlink_longname(t->th_buf) . As a result the released memory is used (use-after-free). FAQ: Is Azure Linu

CVE-2021-33643 [CRITICAL] CWE-125 An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink causing an out-of-bounds read. An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink causing an out-of-bounds read. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is ther

CVE-2021-33646 [HIGH] CWE-401 The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory which may cause a memory leak. The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory which may cause a memory leak. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Li

CVE-2021-33644 [HIGH] CWE-125 An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname causing an out-of-bounds read. An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname causing an out-of-bounds read. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefor

CVE-2021-33645 [HIGH] CWE-401 The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory which may cause a memory leak. The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory which may cause a memory leak. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Li