CVE-2018-20482

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparsedumpregion in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

References

Affected packages

Git / git.savannah.gnu.org/git/tar.git/

Affected ranges

Type

GIT

Repo

http://git.savannah.gnu.org/git/tar.git/

Events

Introduced

Last affected

f8459cf8387cc2c7b3f1818a6379957fc23f5a21

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.30"
        }
    ]
}

Type: GIT
Repo: https://cgit.git.savannah.gnu.org/cgit/tar.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c15c42ccd1e2377945fd0414eca1a49294bff454

Affected versions

Other

alpha_1_13_93

alpha_1_15_90

alpha_1_15_90_incremental_1

alpha_1_15_91

old

release_1_14

release_1_15

release_1_15_1

release_1_16

release_1_16_1

release_1_17

release_1_18

release_1_19

release_1_20

release_1_21

release_1_22

release_1_23

release_1_24

release_1_25

release_1_26

release_1_27

release_1_27_1

release_1_28

release_1_29

release_1_30

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-20482.json"