[Buildroot] [PATCH 1/1] package/tar: security bump to version 1.35

[Buildroot] [PATCH 1/1] package/tar: security bump to version 1.35

[Fabrice Fontaine]

- Fix CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds
  read that results in use of uninitialized memory for a conditional
  jump. Exploitation to change the flow of control has not been
  demonstrated. The issue occurs in from_header in list.c via a V7
  archive in which mtime has approximately 11 whitespace characters.
- Update hash of COPYING (http replaced by https)

https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/tar/tar.hash | 6 +++---
 package/tar/tar.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/tar/tar.hash b/package/tar/tar.hash
index 1914a9f3b4..108a95ee62 100644
--- a/package/tar/tar.hash
+++ b/package/tar/tar.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking signature
-sha256  63bebd26879c5e1eea4352f0d03c991f966aeb3ddeb3c7445c902568d5411d28  tar-1.34.tar.xz
-sha256  51337b19c71df92cd4f51c50efe4dc6ddc267d31fd54679be9e9bc2e6ce8132b  tar-1.34.cpio.gz
-sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
+sha256  4d62ff37342ec7aed748535323930c7cf94acf71c3591882b26a7ea50f3edc16  tar-1.35.tar.xz
+sha256  c77a38fcf25b21fd8209d20d35638744344ded239cfc7df80138bf46d3c6b16d  tar-1.35.cpio.gz
+sha256  3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986  COPYING
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 690a5952ba..eea112ebc7 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-TAR_VERSION = 1.34
+TAR_VERSION = 1.35
 TAR_SOURCE = tar-$(TAR_VERSION).tar.xz
 TAR_SITE = $(BR2_GNU_MIRROR)/tar
 # busybox installs in /bin, so we need tar to install as well in /bin
-- 
2.40.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/tar: security bump to version 1.35

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds
 >   read that results in use of uninitialized memory for a conditional
 >   jump. Exploitation to change the flow of control has not been
 >   demonstrated. The issue occurs in from_header in list.c via a V7
 >   archive in which mtime has approximately 11 whitespace characters.
 > - Update hash of COPYING (http replaced by https)

 > https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/tar: security bump to version 1.35

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds
 >   read that results in use of uninitialized memory for a conditional
 >   jump. Exploitation to change the flow of control has not been
 >   demonstrated. The issue occurs in from_header in list.c via a V7
 >   archive in which mtime has approximately 11 whitespace characters.
 > - Update hash of COPYING (http replaced by https)

 > https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot