Amazon Linux 2 Security Advisory: ALAS-2023-1994
Advisory Release Date: 2023-03-17 16:34 Pacific
Advisory Updated Date: 2023-03-21 23:24 Pacific
Severity:
Important
Issue Overview:
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. (CVE-2022-48303)
Affected Packages:
tar
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update tar to update your system.
New Packages:
aarch64:
tar-1.26-35.amzn2.0.1.aarch64
tar-debuginfo-1.26-35.amzn2.0.1.aarch64
i686:
tar-1.26-35.amzn2.0.1.i686
tar-debuginfo-1.26-35.amzn2.0.1.i686
src:
tar-1.26-35.amzn2.0.1.src
x86_64:
tar-1.26-35.amzn2.0.1.x86_64
tar-debuginfo-1.26-35.amzn2.0.1.x86_64