ALAS-2023-1704

Amazon Linux 1 Security Advisory: ALAS-2023-1704
Advisory Release Date: 2023-03-17 15:53 Pacific
Advisory Updated Date: 2023-03-22 18:51 Pacific

Severity: Important

References: CVE-2022-48303
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. (CVE-2022-48303)

Affected Packages:

tar

Issue Correction:
Run yum update tar to update your system.

New Packages:

i686:
    tar-1.26-31.23.amzn1.i686
    tar-debuginfo-1.26-31.23.amzn1.i686

src:
    tar-1.26-31.23.amzn1.src

x86_64:
    tar-1.26-31.23.amzn1.x86_64
    tar-debuginfo-1.26-31.23.amzn1.x86_64

Additional References

Red Hat: CVE-2022-48303

Mitre: CVE-2022-48303