ALAS2023-2023-153


Amazon Linux 2023 Security Advisory: ALAS-2023-153
Advisory Release Date: 2023-03-30 21:11 Pacific
Advisory Updated Date: 2023-04-04 21:33 Pacific
Severity: Important

Issue Overview:

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. (CVE-2022-48303)


Affected Packages:

tar


Issue Correction:
Run dnf update tar --releasever=2023.0.20230329 to update your system.

New Packages:
aarch64:
    tar-debuginfo-1.34-1.amzn2023.0.3.aarch64
    tar-1.34-1.amzn2023.0.3.aarch64
    tar-debugsource-1.34-1.amzn2023.0.3.aarch64

src:
    tar-1.34-1.amzn2023.0.3.src

x86_64:
    tar-debuginfo-1.34-1.amzn2023.0.3.x86_64
    tar-1.34-1.amzn2023.0.3.x86_64
    tar-debugsource-1.34-1.amzn2023.0.3.x86_64