Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
16 vulnerabilities found for libtar by feep
VAR-202208-0889
Vulnerability from variot - Updated: 2025-11-18 15:06An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read. feep.net of libtar Products from other vendors have out-of-bounds read vulnerabilities.Information is obtained and service operation is interrupted (DoS) It may be in a state. openEuler is an operating system of the Open Atom Open Source Foundation. There are security vulnerabilities in openEuler 20.03-LTS-SP1, 20.03-LTS-SP3, and 22.03-LTS versions of the Open Atom Open Source Foundation. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libtar security update Advisory ID: RHSA-2023:2898-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2898 Issue date: 2023-05-16 CVE Names: CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646 ==================================================================== 1. Summary:
An update for libtar is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
The libtar packages contain a C library for manipulating tar archives. The library supports both the strict POSIX tar format and many of the commonly used GNU extensions.
Security Fix(es):
-
libtar: out-of-bounds read in gnu_longlink (CVE-2021-33643)
-
libtar: out-of-bounds read in gnu_longname (CVE-2021-33644)
-
libtar: memory leak found in th_read() function (CVE-2021-33645)
-
libtar: memory leak found in th_read() function (CVE-2021-33646)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2121289 - CVE-2021-33643 libtar: out-of-bounds read in gnu_longlink 2121292 - CVE-2021-33644 libtar: out-of-bounds read in gnu_longname 2121295 - CVE-2021-33645 libtar: memory leak found in th_read() function 2121297 - CVE-2021-33646 libtar: memory leak found in th_read() function
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source: libtar-1.2.20-17.el8.src.rpm
aarch64: libtar-1.2.20-17.el8.aarch64.rpm libtar-debuginfo-1.2.20-17.el8.aarch64.rpm libtar-debugsource-1.2.20-17.el8.aarch64.rpm
ppc64le: libtar-1.2.20-17.el8.ppc64le.rpm libtar-debuginfo-1.2.20-17.el8.ppc64le.rpm libtar-debugsource-1.2.20-17.el8.ppc64le.rpm
s390x: libtar-1.2.20-17.el8.s390x.rpm libtar-debuginfo-1.2.20-17.el8.s390x.rpm libtar-debugsource-1.2.20-17.el8.s390x.rpm
x86_64: libtar-1.2.20-17.el8.i686.rpm libtar-1.2.20-17.el8.x86_64.rpm libtar-debuginfo-1.2.20-17.el8.i686.rpm libtar-debuginfo-1.2.20-17.el8.x86_64.rpm libtar-debugsource-1.2.20-17.el8.i686.rpm libtar-debugsource-1.2.20-17.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-33643 https://access.redhat.com/security/cve/CVE-2021-33644 https://access.redhat.com/security/cve/CVE-2021-33645 https://access.redhat.com/security/cve/CVE-2021-33646 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZGNwdNzjgjWX9erEAQjfPw//SoG/pVemP1peDGxUFDfBMBbldrFWpNro Te4tTe3YAkVgQgtnGZ8n3Arlrryk+3wfgQj3u9gdUj1w14YyEZC8hpWLCXI5iw/P Ul4dHHOnO0UW568dkaqUeJjl02o2ugRp2RZVt14yuZqLKmF9WCJW7lCZQLoqCIVp 7P3vZOQBlyU6BuGXO4Th86fpLDEZCboBQDA2QeNFvt+qNwvNxgb3A05217tfXnZ4 EpltZPIrl8pzEmmWA09XeFgIm5GXNiWjjR/fF3OHSgQ9cmXnafxWSBNiDlzHNQCk 0/z5gcvl+BJLceQoZBo6hdldHCiOF20jCxr8Nb/3sSJ+zAqQqqNsnDQ1TGs2GMDz Mx5JECSk0p79MMKR0mrP2NbCqxqEsqOkjinIa0PDlKNPFbEikA4l7fXu58KyHsr/ V9otYHvD1ilS7cTw1FGi198oodCofA+euZCQBNnWuFbnrCo1cyRBN6mjCMZwDgww ZhNWOUvAmkhtC5ebBb8zuMJ73ojSwiv886kJbEjDlG7SDGbMPHxEAgTHWZp5l+jw z36m+SegsAXE/UKHRYTFriRA5p1pyq/AVUMwhMXvQhwwNxPl2wsaUOJGFBw3Fu3n bAFXpxAngQvELHEFOtmL9fzbnFo93OTkvuz9tJpbvNOCmDBJJEN6Znhic0iWzT0p kHiakPvkvj4=I+bk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202208-0889",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openeuler",
"scope": "eq",
"trust": 1.0,
"vendor": "openatom",
"version": "22.03"
},
{
"model": "libtar",
"scope": "lt",
"trust": 1.0,
"vendor": "feep",
"version": "1.2.21"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "37"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "openeuler",
"scope": "eq",
"trust": 1.0,
"vendor": "openatom",
"version": "20.03"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "36"
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "openeuler",
"scope": null,
"trust": 0.8,
"vendor": "huawei",
"version": null
},
{
"model": "libtar",
"scope": null,
"trust": 0.8,
"vendor": "feep net",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"db": "NVD",
"id": "CVE-2021-33643"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "172362"
}
],
"trust": 0.1
},
"cve": "CVE-2021-33643",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-33643",
"impactScore": 5.2,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-33643",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-33643",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2021-33643",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNNVD",
"id": "CNNVD-202208-2780",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2780"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"db": "NVD",
"id": "CVE-2021-33643"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read. feep.net of libtar Products from other vendors have out-of-bounds read vulnerabilities.Information is obtained and service operation is interrupted (DoS) It may be in a state. openEuler is an operating system of the Open Atom Open Source Foundation. There are security vulnerabilities in openEuler 20.03-LTS-SP1, 20.03-LTS-SP3, and 22.03-LTS versions of the Open Atom Open Source Foundation. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: libtar security update\nAdvisory ID: RHSA-2023:2898-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:2898\nIssue date: 2023-05-16\nCVE Names: CVE-2021-33643 CVE-2021-33644 CVE-2021-33645\n CVE-2021-33646\n====================================================================\n1. Summary:\n\nAn update for libtar is now available for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe libtar packages contain a C library for manipulating tar archives. The\nlibrary supports both the strict POSIX tar format and many of the commonly\nused GNU extensions. \n\nSecurity Fix(es):\n\n* libtar: out-of-bounds read in gnu_longlink (CVE-2021-33643)\n\n* libtar: out-of-bounds read in gnu_longname (CVE-2021-33644)\n\n* libtar: memory leak found in th_read() function (CVE-2021-33645)\n\n* libtar: memory leak found in th_read() function (CVE-2021-33646)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.8 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2121289 - CVE-2021-33643 libtar: out-of-bounds read in gnu_longlink\n2121292 - CVE-2021-33644 libtar: out-of-bounds read in gnu_longname\n2121295 - CVE-2021-33645 libtar: memory leak found in th_read() function\n2121297 - CVE-2021-33646 libtar: memory leak found in th_read() function\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 8):\n\nSource:\nlibtar-1.2.20-17.el8.src.rpm\n\naarch64:\nlibtar-1.2.20-17.el8.aarch64.rpm\nlibtar-debuginfo-1.2.20-17.el8.aarch64.rpm\nlibtar-debugsource-1.2.20-17.el8.aarch64.rpm\n\nppc64le:\nlibtar-1.2.20-17.el8.ppc64le.rpm\nlibtar-debuginfo-1.2.20-17.el8.ppc64le.rpm\nlibtar-debugsource-1.2.20-17.el8.ppc64le.rpm\n\ns390x:\nlibtar-1.2.20-17.el8.s390x.rpm\nlibtar-debuginfo-1.2.20-17.el8.s390x.rpm\nlibtar-debugsource-1.2.20-17.el8.s390x.rpm\n\nx86_64:\nlibtar-1.2.20-17.el8.i686.rpm\nlibtar-1.2.20-17.el8.x86_64.rpm\nlibtar-debuginfo-1.2.20-17.el8.i686.rpm\nlibtar-debuginfo-1.2.20-17.el8.x86_64.rpm\nlibtar-debugsource-1.2.20-17.el8.i686.rpm\nlibtar-debugsource-1.2.20-17.el8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-33643\nhttps://access.redhat.com/security/cve/CVE-2021-33644\nhttps://access.redhat.com/security/cve/CVE-2021-33645\nhttps://access.redhat.com/security/cve/CVE-2021-33646\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZGNwdNzjgjWX9erEAQjfPw//SoG/pVemP1peDGxUFDfBMBbldrFWpNro\nTe4tTe3YAkVgQgtnGZ8n3Arlrryk+3wfgQj3u9gdUj1w14YyEZC8hpWLCXI5iw/P\nUl4dHHOnO0UW568dkaqUeJjl02o2ugRp2RZVt14yuZqLKmF9WCJW7lCZQLoqCIVp\n7P3vZOQBlyU6BuGXO4Th86fpLDEZCboBQDA2QeNFvt+qNwvNxgb3A05217tfXnZ4\nEpltZPIrl8pzEmmWA09XeFgIm5GXNiWjjR/fF3OHSgQ9cmXnafxWSBNiDlzHNQCk\n0/z5gcvl+BJLceQoZBo6hdldHCiOF20jCxr8Nb/3sSJ+zAqQqqNsnDQ1TGs2GMDz\nMx5JECSk0p79MMKR0mrP2NbCqxqEsqOkjinIa0PDlKNPFbEikA4l7fXu58KyHsr/\nV9otYHvD1ilS7cTw1FGi198oodCofA+euZCQBNnWuFbnrCo1cyRBN6mjCMZwDgww\nZhNWOUvAmkhtC5ebBb8zuMJ73ojSwiv886kJbEjDlG7SDGbMPHxEAgTHWZp5l+jw\nz36m+SegsAXE/UKHRYTFriRA5p1pyq/AVUMwhMXvQhwwNxPl2wsaUOJGFBw3Fu3n\nbAFXpxAngQvELHEFOtmL9fzbnFo93OTkvuz9tJpbvNOCmDBJJEN6Znhic0iWzT0p\nkHiakPvkvj4=I+bk\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33643"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"db": "VULHUB",
"id": "VHN-393721"
},
{
"db": "PACKETSTORM",
"id": "172362"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-33643",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020154",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2780",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-393721",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172362",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393721"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2780"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"db": "NVD",
"id": "CVE-2021-33643"
}
]
},
"id": "VAR-202208-0889",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-393721"
}
],
"trust": 0.01
},
"last_update_date": "2025-11-18T15:06:15.837000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "openEuler Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=204269"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2780"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.1
},
{
"problemtype": "Out-of-bounds read (CWE-125) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393721"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"db": "NVD",
"id": "CVE-2021-33643"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openeuler-sa-2022-1807"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7q26qdnojdofywmjweik5xr62m2ff6ij/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/od4hebsti22fnykokk7w3x6zqe6fv3xc/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4s4pjrcjleawn2ekxglsobtl7o57v7nc/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7wx5ye66ct7y5c2hthxsfdkqwywywj2t/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5yshzy753r7xw6cikjvawi373ww3yrrj/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4s4pjrcjleawn2ekxglsobtl7o57v7nc/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7q26qdnojdofywmjweik5xr62m2ff6ij/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7wx5ye66ct7y5c2hthxsfdkqwywywj2t/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/od4hebsti22fnykokk7w3x6zqe6fv3xc/"
},
{
"trust": 1.0,
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5yshzy753r7xw6cikjvawi373ww3yrrj/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33643"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/libtar-four-vulnerabilities-39176"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2021-33643/"
},
{
"trust": 0.1,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33643"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2898"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33646"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33646"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33644"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33644"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33645"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33645"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393721"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2780"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"db": "NVD",
"id": "CVE-2021-33643"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-393721"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2780"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"db": "NVD",
"id": "CVE-2021-33643"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-10T00:00:00",
"db": "VULHUB",
"id": "VHN-393721"
},
{
"date": "2023-05-16T17:07:39",
"db": "PACKETSTORM",
"id": "172362"
},
{
"date": "2022-08-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2780"
},
{
"date": "2023-09-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"date": "2022-08-10T20:15:20.450000",
"db": "NVD",
"id": "CVE-2021-33643"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-02-23T00:00:00",
"db": "VULHUB",
"id": "VHN-393721"
},
{
"date": "2022-12-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2780"
},
{
"date": "2023-09-19T08:11:00",
"db": "JVNDB",
"id": "JVNDB-2021-020154"
},
{
"date": "2025-11-03T21:15:41.117000",
"db": "NVD",
"id": "CVE-2021-33643"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2780"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "feep.net\u00a0 of \u00a0libtar\u00a0 Out-of-Bounds Read Vulnerability in Other Vendors\u0027 Products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-020154"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2780"
}
],
"trust": 0.6
}
}
VAR-202208-0814
Vulnerability from variot - Updated: 2025-11-18 15:06The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak. feep.net of libtar Products from multiple other vendors are vulnerable to lack of freeing memory after expiration.Service operation interruption (DoS) It may be in a state. openEuler is an operating system of the Open Atom Open Source Foundation. There are security vulnerabilities in openEuler 20.03-LTS-SP1, 20.03-LTS-SP3 and 22.03-LTS versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libtar security update Advisory ID: RHSA-2023:2898-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2898 Issue date: 2023-05-16 CVE Names: CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646 ==================================================================== 1. Summary:
An update for libtar is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
The libtar packages contain a C library for manipulating tar archives. The library supports both the strict POSIX tar format and many of the commonly used GNU extensions.
Security Fix(es):
-
libtar: out-of-bounds read in gnu_longlink (CVE-2021-33643)
-
libtar: out-of-bounds read in gnu_longname (CVE-2021-33644)
-
libtar: memory leak found in th_read() function (CVE-2021-33645)
-
libtar: memory leak found in th_read() function (CVE-2021-33646)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source: libtar-1.2.20-17.el8.src.rpm
aarch64: libtar-1.2.20-17.el8.aarch64.rpm libtar-debuginfo-1.2.20-17.el8.aarch64.rpm libtar-debugsource-1.2.20-17.el8.aarch64.rpm
ppc64le: libtar-1.2.20-17.el8.ppc64le.rpm libtar-debuginfo-1.2.20-17.el8.ppc64le.rpm libtar-debugsource-1.2.20-17.el8.ppc64le.rpm
s390x: libtar-1.2.20-17.el8.s390x.rpm libtar-debuginfo-1.2.20-17.el8.s390x.rpm libtar-debugsource-1.2.20-17.el8.s390x.rpm
x86_64: libtar-1.2.20-17.el8.i686.rpm libtar-1.2.20-17.el8.x86_64.rpm libtar-debuginfo-1.2.20-17.el8.i686.rpm libtar-debuginfo-1.2.20-17.el8.x86_64.rpm libtar-debugsource-1.2.20-17.el8.i686.rpm libtar-debugsource-1.2.20-17.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-33643 https://access.redhat.com/security/cve/CVE-2021-33644 https://access.redhat.com/security/cve/CVE-2021-33645 https://access.redhat.com/security/cve/CVE-2021-33646 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZGNwdNzjgjWX9erEAQjfPw//SoG/pVemP1peDGxUFDfBMBbldrFWpNro Te4tTe3YAkVgQgtnGZ8n3Arlrryk+3wfgQj3u9gdUj1w14YyEZC8hpWLCXI5iw/P Ul4dHHOnO0UW568dkaqUeJjl02o2ugRp2RZVt14yuZqLKmF9WCJW7lCZQLoqCIVp 7P3vZOQBlyU6BuGXO4Th86fpLDEZCboBQDA2QeNFvt+qNwvNxgb3A05217tfXnZ4 EpltZPIrl8pzEmmWA09XeFgIm5GXNiWjjR/fF3OHSgQ9cmXnafxWSBNiDlzHNQCk 0/z5gcvl+BJLceQoZBo6hdldHCiOF20jCxr8Nb/3sSJ+zAqQqqNsnDQ1TGs2GMDz Mx5JECSk0p79MMKR0mrP2NbCqxqEsqOkjinIa0PDlKNPFbEikA4l7fXu58KyHsr/ V9otYHvD1ilS7cTw1FGi198oodCofA+euZCQBNnWuFbnrCo1cyRBN6mjCMZwDgww ZhNWOUvAmkhtC5ebBb8zuMJ73ojSwiv886kJbEjDlG7SDGbMPHxEAgTHWZp5l+jw z36m+SegsAXE/UKHRYTFriRA5p1pyq/AVUMwhMXvQhwwNxPl2wsaUOJGFBw3Fu3n bAFXpxAngQvELHEFOtmL9fzbnFo93OTkvuz9tJpbvNOCmDBJJEN6Znhic0iWzT0p kHiakPvkvj4=I+bk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202208-0814",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openeuler",
"scope": "eq",
"trust": 1.0,
"vendor": "openatom",
"version": "22.03"
},
{
"model": "libtar",
"scope": "lt",
"trust": 1.0,
"vendor": "feep",
"version": "1.2.21"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "37"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "openeuler",
"scope": "eq",
"trust": 1.0,
"vendor": "openatom",
"version": "20.03"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "36"
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "openeuler",
"scope": null,
"trust": 0.8,
"vendor": "huawei",
"version": null
},
{
"model": "libtar",
"scope": null,
"trust": 0.8,
"vendor": "feep net",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"db": "NVD",
"id": "CVE-2021-33646"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "172362"
}
],
"trust": 0.1
},
"cve": "CVE-2021-33646",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2021-33646",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-33646",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-33646",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2021-33646",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202208-2782",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2782"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"db": "NVD",
"id": "CVE-2021-33646"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The th_read() function doesn\u2019t free a variable t-\u003eth_buf.gnu_longname after allocating memory, which may cause a memory leak. feep.net of libtar Products from multiple other vendors are vulnerable to lack of freeing memory after expiration.Service operation interruption (DoS) It may be in a state. openEuler is an operating system of the Open Atom Open Source Foundation. There are security vulnerabilities in openEuler 20.03-LTS-SP1, 20.03-LTS-SP3 and 22.03-LTS versions. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: libtar security update\nAdvisory ID: RHSA-2023:2898-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:2898\nIssue date: 2023-05-16\nCVE Names: CVE-2021-33643 CVE-2021-33644 CVE-2021-33645\n CVE-2021-33646\n====================================================================\n1. Summary:\n\nAn update for libtar is now available for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe libtar packages contain a C library for manipulating tar archives. The\nlibrary supports both the strict POSIX tar format and many of the commonly\nused GNU extensions. \n\nSecurity Fix(es):\n\n* libtar: out-of-bounds read in gnu_longlink (CVE-2021-33643)\n\n* libtar: out-of-bounds read in gnu_longname (CVE-2021-33644)\n\n* libtar: memory leak found in th_read() function (CVE-2021-33645)\n\n* libtar: memory leak found in th_read() function (CVE-2021-33646)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.8 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 8):\n\nSource:\nlibtar-1.2.20-17.el8.src.rpm\n\naarch64:\nlibtar-1.2.20-17.el8.aarch64.rpm\nlibtar-debuginfo-1.2.20-17.el8.aarch64.rpm\nlibtar-debugsource-1.2.20-17.el8.aarch64.rpm\n\nppc64le:\nlibtar-1.2.20-17.el8.ppc64le.rpm\nlibtar-debuginfo-1.2.20-17.el8.ppc64le.rpm\nlibtar-debugsource-1.2.20-17.el8.ppc64le.rpm\n\ns390x:\nlibtar-1.2.20-17.el8.s390x.rpm\nlibtar-debuginfo-1.2.20-17.el8.s390x.rpm\nlibtar-debugsource-1.2.20-17.el8.s390x.rpm\n\nx86_64:\nlibtar-1.2.20-17.el8.i686.rpm\nlibtar-1.2.20-17.el8.x86_64.rpm\nlibtar-debuginfo-1.2.20-17.el8.i686.rpm\nlibtar-debuginfo-1.2.20-17.el8.x86_64.rpm\nlibtar-debugsource-1.2.20-17.el8.i686.rpm\nlibtar-debugsource-1.2.20-17.el8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-33643\nhttps://access.redhat.com/security/cve/CVE-2021-33644\nhttps://access.redhat.com/security/cve/CVE-2021-33645\nhttps://access.redhat.com/security/cve/CVE-2021-33646\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZGNwdNzjgjWX9erEAQjfPw//SoG/pVemP1peDGxUFDfBMBbldrFWpNro\nTe4tTe3YAkVgQgtnGZ8n3Arlrryk+3wfgQj3u9gdUj1w14YyEZC8hpWLCXI5iw/P\nUl4dHHOnO0UW568dkaqUeJjl02o2ugRp2RZVt14yuZqLKmF9WCJW7lCZQLoqCIVp\n7P3vZOQBlyU6BuGXO4Th86fpLDEZCboBQDA2QeNFvt+qNwvNxgb3A05217tfXnZ4\nEpltZPIrl8pzEmmWA09XeFgIm5GXNiWjjR/fF3OHSgQ9cmXnafxWSBNiDlzHNQCk\n0/z5gcvl+BJLceQoZBo6hdldHCiOF20jCxr8Nb/3sSJ+zAqQqqNsnDQ1TGs2GMDz\nMx5JECSk0p79MMKR0mrP2NbCqxqEsqOkjinIa0PDlKNPFbEikA4l7fXu58KyHsr/\nV9otYHvD1ilS7cTw1FGi198oodCofA+euZCQBNnWuFbnrCo1cyRBN6mjCMZwDgww\nZhNWOUvAmkhtC5ebBb8zuMJ73ojSwiv886kJbEjDlG7SDGbMPHxEAgTHWZp5l+jw\nz36m+SegsAXE/UKHRYTFriRA5p1pyq/AVUMwhMXvQhwwNxPl2wsaUOJGFBw3Fu3n\nbAFXpxAngQvELHEFOtmL9fzbnFo93OTkvuz9tJpbvNOCmDBJJEN6Znhic0iWzT0p\nkHiakPvkvj4=I+bk\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33646"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"db": "VULHUB",
"id": "VHN-393724"
},
{
"db": "PACKETSTORM",
"id": "172362"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-33646",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020151",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2782",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-393724",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172362",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393724"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2782"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"db": "NVD",
"id": "CVE-2021-33646"
}
]
},
"id": "VAR-202208-0814",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-393724"
}
],
"trust": 0.01
},
"last_update_date": "2025-11-18T15:06:15.807000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "openEuler Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=204271"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2782"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-401",
"trust": 1.1
},
{
"problemtype": "Lack of memory release after expiration (CWE-401) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393724"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"db": "NVD",
"id": "CVE-2021-33646"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openeuler-sa-2022-1807"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7q26qdnojdofywmjweik5xr62m2ff6ij/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/od4hebsti22fnykokk7w3x6zqe6fv3xc/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4s4pjrcjleawn2ekxglsobtl7o57v7nc/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7wx5ye66ct7y5c2hthxsfdkqwywywj2t/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5yshzy753r7xw6cikjvawi373ww3yrrj/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4s4pjrcjleawn2ekxglsobtl7o57v7nc/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7q26qdnojdofywmjweik5xr62m2ff6ij/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7wx5ye66ct7y5c2hthxsfdkqwywywj2t/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/od4hebsti22fnykokk7w3x6zqe6fv3xc/"
},
{
"trust": 1.0,
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5yshzy753r7xw6cikjvawi373ww3yrrj/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33646"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/libtar-four-vulnerabilities-39176"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2021-33646/"
},
{
"trust": 0.1,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33643"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2898"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33646"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33644"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33644"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33643"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33645"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33645"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393724"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2782"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"db": "NVD",
"id": "CVE-2021-33646"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-393724"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2782"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"db": "NVD",
"id": "CVE-2021-33646"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-10T00:00:00",
"db": "VULHUB",
"id": "VHN-393724"
},
{
"date": "2023-05-16T17:07:39",
"db": "PACKETSTORM",
"id": "172362"
},
{
"date": "2022-08-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2782"
},
{
"date": "2023-09-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"date": "2022-08-10T20:15:20.637000",
"db": "NVD",
"id": "CVE-2021-33646"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-11T00:00:00",
"db": "VULHUB",
"id": "VHN-393724"
},
{
"date": "2022-12-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2782"
},
{
"date": "2023-09-19T08:11:00",
"db": "JVNDB",
"id": "JVNDB-2021-020151"
},
{
"date": "2025-11-03T21:15:41.500000",
"db": "NVD",
"id": "CVE-2021-33646"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2782"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "feep.net\u00a0 of \u00a0libtar\u00a0 Vulnerability related to lack of free memory after expiration in products from other vendors",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-020151"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2782"
}
],
"trust": 0.6
}
}
VAR-202208-0859
Vulnerability from variot - Updated: 2025-11-18 15:06The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak. feep.net of libtar Products from multiple other vendors are vulnerable to lack of freeing memory after expiration.Service operation interruption (DoS) It may be in a state. openEuler is an operating system of the Open Atom Open Source Foundation. There are security vulnerabilities in openEuler 20.03-LTS-SP1, 20.03-LTS-SP3 and 22.03-LTS versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libtar security update Advisory ID: RHSA-2023:2898-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2898 Issue date: 2023-05-16 CVE Names: CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646 ==================================================================== 1. Summary:
An update for libtar is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
The libtar packages contain a C library for manipulating tar archives. The library supports both the strict POSIX tar format and many of the commonly used GNU extensions.
Security Fix(es):
-
libtar: out-of-bounds read in gnu_longlink (CVE-2021-33643)
-
libtar: out-of-bounds read in gnu_longname (CVE-2021-33644)
-
libtar: memory leak found in th_read() function (CVE-2021-33645)
-
libtar: memory leak found in th_read() function (CVE-2021-33646)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source: libtar-1.2.20-17.el8.src.rpm
aarch64: libtar-1.2.20-17.el8.aarch64.rpm libtar-debuginfo-1.2.20-17.el8.aarch64.rpm libtar-debugsource-1.2.20-17.el8.aarch64.rpm
ppc64le: libtar-1.2.20-17.el8.ppc64le.rpm libtar-debuginfo-1.2.20-17.el8.ppc64le.rpm libtar-debugsource-1.2.20-17.el8.ppc64le.rpm
s390x: libtar-1.2.20-17.el8.s390x.rpm libtar-debuginfo-1.2.20-17.el8.s390x.rpm libtar-debugsource-1.2.20-17.el8.s390x.rpm
x86_64: libtar-1.2.20-17.el8.i686.rpm libtar-1.2.20-17.el8.x86_64.rpm libtar-debuginfo-1.2.20-17.el8.i686.rpm libtar-debuginfo-1.2.20-17.el8.x86_64.rpm libtar-debugsource-1.2.20-17.el8.i686.rpm libtar-debugsource-1.2.20-17.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-33643 https://access.redhat.com/security/cve/CVE-2021-33644 https://access.redhat.com/security/cve/CVE-2021-33645 https://access.redhat.com/security/cve/CVE-2021-33646 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZGNwdNzjgjWX9erEAQjfPw//SoG/pVemP1peDGxUFDfBMBbldrFWpNro Te4tTe3YAkVgQgtnGZ8n3Arlrryk+3wfgQj3u9gdUj1w14YyEZC8hpWLCXI5iw/P Ul4dHHOnO0UW568dkaqUeJjl02o2ugRp2RZVt14yuZqLKmF9WCJW7lCZQLoqCIVp 7P3vZOQBlyU6BuGXO4Th86fpLDEZCboBQDA2QeNFvt+qNwvNxgb3A05217tfXnZ4 EpltZPIrl8pzEmmWA09XeFgIm5GXNiWjjR/fF3OHSgQ9cmXnafxWSBNiDlzHNQCk 0/z5gcvl+BJLceQoZBo6hdldHCiOF20jCxr8Nb/3sSJ+zAqQqqNsnDQ1TGs2GMDz Mx5JECSk0p79MMKR0mrP2NbCqxqEsqOkjinIa0PDlKNPFbEikA4l7fXu58KyHsr/ V9otYHvD1ilS7cTw1FGi198oodCofA+euZCQBNnWuFbnrCo1cyRBN6mjCMZwDgww ZhNWOUvAmkhtC5ebBb8zuMJ73ojSwiv886kJbEjDlG7SDGbMPHxEAgTHWZp5l+jw z36m+SegsAXE/UKHRYTFriRA5p1pyq/AVUMwhMXvQhwwNxPl2wsaUOJGFBw3Fu3n bAFXpxAngQvELHEFOtmL9fzbnFo93OTkvuz9tJpbvNOCmDBJJEN6Znhic0iWzT0p kHiakPvkvj4=I+bk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202208-0859",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openeuler",
"scope": "eq",
"trust": 1.0,
"vendor": "openatom",
"version": "22.03"
},
{
"model": "libtar",
"scope": "lt",
"trust": 1.0,
"vendor": "feep",
"version": "1.2.21"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "37"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "openeuler",
"scope": "eq",
"trust": 1.0,
"vendor": "openatom",
"version": "20.03"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "36"
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "openeuler",
"scope": null,
"trust": 0.8,
"vendor": "huawei",
"version": null
},
{
"model": "libtar",
"scope": null,
"trust": 0.8,
"vendor": "feep net",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"db": "NVD",
"id": "CVE-2021-33645"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "172362"
}
],
"trust": 0.1
},
"cve": "CVE-2021-33645",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2021-33645",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-33645",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-33645",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2021-33645",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202208-2781",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"db": "NVD",
"id": "CVE-2021-33645"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The th_read() function doesn\u2019t free a variable t-\u003eth_buf.gnu_longlink after allocating memory, which may cause a memory leak. feep.net of libtar Products from multiple other vendors are vulnerable to lack of freeing memory after expiration.Service operation interruption (DoS) It may be in a state. openEuler is an operating system of the Open Atom Open Source Foundation. There are security vulnerabilities in openEuler 20.03-LTS-SP1, 20.03-LTS-SP3 and 22.03-LTS versions. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: libtar security update\nAdvisory ID: RHSA-2023:2898-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:2898\nIssue date: 2023-05-16\nCVE Names: CVE-2021-33643 CVE-2021-33644 CVE-2021-33645\n CVE-2021-33646\n====================================================================\n1. Summary:\n\nAn update for libtar is now available for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe libtar packages contain a C library for manipulating tar archives. The\nlibrary supports both the strict POSIX tar format and many of the commonly\nused GNU extensions. \n\nSecurity Fix(es):\n\n* libtar: out-of-bounds read in gnu_longlink (CVE-2021-33643)\n\n* libtar: out-of-bounds read in gnu_longname (CVE-2021-33644)\n\n* libtar: memory leak found in th_read() function (CVE-2021-33645)\n\n* libtar: memory leak found in th_read() function (CVE-2021-33646)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.8 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 8):\n\nSource:\nlibtar-1.2.20-17.el8.src.rpm\n\naarch64:\nlibtar-1.2.20-17.el8.aarch64.rpm\nlibtar-debuginfo-1.2.20-17.el8.aarch64.rpm\nlibtar-debugsource-1.2.20-17.el8.aarch64.rpm\n\nppc64le:\nlibtar-1.2.20-17.el8.ppc64le.rpm\nlibtar-debuginfo-1.2.20-17.el8.ppc64le.rpm\nlibtar-debugsource-1.2.20-17.el8.ppc64le.rpm\n\ns390x:\nlibtar-1.2.20-17.el8.s390x.rpm\nlibtar-debuginfo-1.2.20-17.el8.s390x.rpm\nlibtar-debugsource-1.2.20-17.el8.s390x.rpm\n\nx86_64:\nlibtar-1.2.20-17.el8.i686.rpm\nlibtar-1.2.20-17.el8.x86_64.rpm\nlibtar-debuginfo-1.2.20-17.el8.i686.rpm\nlibtar-debuginfo-1.2.20-17.el8.x86_64.rpm\nlibtar-debugsource-1.2.20-17.el8.i686.rpm\nlibtar-debugsource-1.2.20-17.el8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-33643\nhttps://access.redhat.com/security/cve/CVE-2021-33644\nhttps://access.redhat.com/security/cve/CVE-2021-33645\nhttps://access.redhat.com/security/cve/CVE-2021-33646\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZGNwdNzjgjWX9erEAQjfPw//SoG/pVemP1peDGxUFDfBMBbldrFWpNro\nTe4tTe3YAkVgQgtnGZ8n3Arlrryk+3wfgQj3u9gdUj1w14YyEZC8hpWLCXI5iw/P\nUl4dHHOnO0UW568dkaqUeJjl02o2ugRp2RZVt14yuZqLKmF9WCJW7lCZQLoqCIVp\n7P3vZOQBlyU6BuGXO4Th86fpLDEZCboBQDA2QeNFvt+qNwvNxgb3A05217tfXnZ4\nEpltZPIrl8pzEmmWA09XeFgIm5GXNiWjjR/fF3OHSgQ9cmXnafxWSBNiDlzHNQCk\n0/z5gcvl+BJLceQoZBo6hdldHCiOF20jCxr8Nb/3sSJ+zAqQqqNsnDQ1TGs2GMDz\nMx5JECSk0p79MMKR0mrP2NbCqxqEsqOkjinIa0PDlKNPFbEikA4l7fXu58KyHsr/\nV9otYHvD1ilS7cTw1FGi198oodCofA+euZCQBNnWuFbnrCo1cyRBN6mjCMZwDgww\nZhNWOUvAmkhtC5ebBb8zuMJ73ojSwiv886kJbEjDlG7SDGbMPHxEAgTHWZp5l+jw\nz36m+SegsAXE/UKHRYTFriRA5p1pyq/AVUMwhMXvQhwwNxPl2wsaUOJGFBw3Fu3n\nbAFXpxAngQvELHEFOtmL9fzbnFo93OTkvuz9tJpbvNOCmDBJJEN6Znhic0iWzT0p\nkHiakPvkvj4=I+bk\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33645"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"db": "VULHUB",
"id": "VHN-393723"
},
{
"db": "PACKETSTORM",
"id": "172362"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-33645",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020152",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2781",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-393723",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172362",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393723"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"db": "NVD",
"id": "CVE-2021-33645"
}
]
},
"id": "VAR-202208-0859",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-393723"
}
],
"trust": 0.01
},
"last_update_date": "2025-11-18T15:06:15.778000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "openEuler Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=204270"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2781"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-401",
"trust": 1.1
},
{
"problemtype": "Lack of memory release after expiration (CWE-401) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393723"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"db": "NVD",
"id": "CVE-2021-33645"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openeuler-sa-2022-1807"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7q26qdnojdofywmjweik5xr62m2ff6ij/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/od4hebsti22fnykokk7w3x6zqe6fv3xc/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4s4pjrcjleawn2ekxglsobtl7o57v7nc/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7wx5ye66ct7y5c2hthxsfdkqwywywj2t/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5yshzy753r7xw6cikjvawi373ww3yrrj/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4s4pjrcjleawn2ekxglsobtl7o57v7nc/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7q26qdnojdofywmjweik5xr62m2ff6ij/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7wx5ye66ct7y5c2hthxsfdkqwywywj2t/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/od4hebsti22fnykokk7w3x6zqe6fv3xc/"
},
{
"trust": 1.0,
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5yshzy753r7xw6cikjvawi373ww3yrrj/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33645"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/libtar-four-vulnerabilities-39176"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2021-33645/"
},
{
"trust": 0.1,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33643"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2898"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33646"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33646"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33644"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33644"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33643"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33645"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393723"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"db": "NVD",
"id": "CVE-2021-33645"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-393723"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"db": "NVD",
"id": "CVE-2021-33645"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-10T00:00:00",
"db": "VULHUB",
"id": "VHN-393723"
},
{
"date": "2023-05-16T17:07:39",
"db": "PACKETSTORM",
"id": "172362"
},
{
"date": "2022-08-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2781"
},
{
"date": "2023-09-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"date": "2022-08-10T20:15:20.573000",
"db": "NVD",
"id": "CVE-2021-33645"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-11T00:00:00",
"db": "VULHUB",
"id": "VHN-393723"
},
{
"date": "2022-12-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2781"
},
{
"date": "2023-09-19T08:11:00",
"db": "JVNDB",
"id": "JVNDB-2021-020152"
},
{
"date": "2025-11-03T21:15:41.387000",
"db": "NVD",
"id": "CVE-2021-33645"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2781"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "feep.net\u00a0 of \u00a0libtar\u00a0 Vulnerability related to lack of free memory after expiration in products from other vendors",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-020152"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2781"
}
],
"trust": 0.6
}
}
VAR-202208-0945
Vulnerability from variot - Updated: 2025-11-18 15:06An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read. feep.net of libtar Products from other vendors have out-of-bounds read vulnerabilities.Information is obtained and service operation is interrupted (DoS) It may be in a state. openEuler is an operating system of the Open Atom Open Source Foundation. There are security vulnerabilities in openEuler 20.03-LTS-SP1, 20.03-LTS-SP3 and 22.03-LTS versions of the Open Atom Open Source Foundation. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libtar security update Advisory ID: RHSA-2023:2898-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2898 Issue date: 2023-05-16 CVE Names: CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646 ==================================================================== 1. Summary:
An update for libtar is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
The libtar packages contain a C library for manipulating tar archives. The library supports both the strict POSIX tar format and many of the commonly used GNU extensions.
Security Fix(es):
-
libtar: out-of-bounds read in gnu_longlink (CVE-2021-33643)
-
libtar: out-of-bounds read in gnu_longname (CVE-2021-33644)
-
libtar: memory leak found in th_read() function (CVE-2021-33645)
-
libtar: memory leak found in th_read() function (CVE-2021-33646)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2121289 - CVE-2021-33643 libtar: out-of-bounds read in gnu_longlink 2121292 - CVE-2021-33644 libtar: out-of-bounds read in gnu_longname 2121295 - CVE-2021-33645 libtar: memory leak found in th_read() function 2121297 - CVE-2021-33646 libtar: memory leak found in th_read() function
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source: libtar-1.2.20-17.el8.src.rpm
aarch64: libtar-1.2.20-17.el8.aarch64.rpm libtar-debuginfo-1.2.20-17.el8.aarch64.rpm libtar-debugsource-1.2.20-17.el8.aarch64.rpm
ppc64le: libtar-1.2.20-17.el8.ppc64le.rpm libtar-debuginfo-1.2.20-17.el8.ppc64le.rpm libtar-debugsource-1.2.20-17.el8.ppc64le.rpm
s390x: libtar-1.2.20-17.el8.s390x.rpm libtar-debuginfo-1.2.20-17.el8.s390x.rpm libtar-debugsource-1.2.20-17.el8.s390x.rpm
x86_64: libtar-1.2.20-17.el8.i686.rpm libtar-1.2.20-17.el8.x86_64.rpm libtar-debuginfo-1.2.20-17.el8.i686.rpm libtar-debuginfo-1.2.20-17.el8.x86_64.rpm libtar-debugsource-1.2.20-17.el8.i686.rpm libtar-debugsource-1.2.20-17.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-33643 https://access.redhat.com/security/cve/CVE-2021-33644 https://access.redhat.com/security/cve/CVE-2021-33645 https://access.redhat.com/security/cve/CVE-2021-33646 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZGNwdNzjgjWX9erEAQjfPw//SoG/pVemP1peDGxUFDfBMBbldrFWpNro Te4tTe3YAkVgQgtnGZ8n3Arlrryk+3wfgQj3u9gdUj1w14YyEZC8hpWLCXI5iw/P Ul4dHHOnO0UW568dkaqUeJjl02o2ugRp2RZVt14yuZqLKmF9WCJW7lCZQLoqCIVp 7P3vZOQBlyU6BuGXO4Th86fpLDEZCboBQDA2QeNFvt+qNwvNxgb3A05217tfXnZ4 EpltZPIrl8pzEmmWA09XeFgIm5GXNiWjjR/fF3OHSgQ9cmXnafxWSBNiDlzHNQCk 0/z5gcvl+BJLceQoZBo6hdldHCiOF20jCxr8Nb/3sSJ+zAqQqqNsnDQ1TGs2GMDz Mx5JECSk0p79MMKR0mrP2NbCqxqEsqOkjinIa0PDlKNPFbEikA4l7fXu58KyHsr/ V9otYHvD1ilS7cTw1FGi198oodCofA+euZCQBNnWuFbnrCo1cyRBN6mjCMZwDgww ZhNWOUvAmkhtC5ebBb8zuMJ73ojSwiv886kJbEjDlG7SDGbMPHxEAgTHWZp5l+jw z36m+SegsAXE/UKHRYTFriRA5p1pyq/AVUMwhMXvQhwwNxPl2wsaUOJGFBw3Fu3n bAFXpxAngQvELHEFOtmL9fzbnFo93OTkvuz9tJpbvNOCmDBJJEN6Znhic0iWzT0p kHiakPvkvj4=I+bk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202208-0945",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openeuler",
"scope": "eq",
"trust": 1.0,
"vendor": "openatom",
"version": "22.03"
},
{
"model": "libtar",
"scope": "lt",
"trust": 1.0,
"vendor": "feep",
"version": "1.2.21"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "37"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "openeuler",
"scope": "eq",
"trust": 1.0,
"vendor": "openatom",
"version": "20.03"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "36"
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "openeuler",
"scope": null,
"trust": 0.8,
"vendor": "huawei",
"version": null
},
{
"model": "libtar",
"scope": null,
"trust": 0.8,
"vendor": "feep net",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"db": "NVD",
"id": "CVE-2021-33644"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "172362"
}
],
"trust": 0.1
},
"cve": "CVE-2021-33644",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2021-33644",
"impactScore": 5.2,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.1,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-33644",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-33644",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2021-33644",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202208-2779",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2779"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"db": "NVD",
"id": "CVE-2021-33644"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read. feep.net of libtar Products from other vendors have out-of-bounds read vulnerabilities.Information is obtained and service operation is interrupted (DoS) It may be in a state. openEuler is an operating system of the Open Atom Open Source Foundation. There are security vulnerabilities in openEuler 20.03-LTS-SP1, 20.03-LTS-SP3 and 22.03-LTS versions of the Open Atom Open Source Foundation. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: libtar security update\nAdvisory ID: RHSA-2023:2898-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:2898\nIssue date: 2023-05-16\nCVE Names: CVE-2021-33643 CVE-2021-33644 CVE-2021-33645\n CVE-2021-33646\n====================================================================\n1. Summary:\n\nAn update for libtar is now available for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe libtar packages contain a C library for manipulating tar archives. The\nlibrary supports both the strict POSIX tar format and many of the commonly\nused GNU extensions. \n\nSecurity Fix(es):\n\n* libtar: out-of-bounds read in gnu_longlink (CVE-2021-33643)\n\n* libtar: out-of-bounds read in gnu_longname (CVE-2021-33644)\n\n* libtar: memory leak found in th_read() function (CVE-2021-33645)\n\n* libtar: memory leak found in th_read() function (CVE-2021-33646)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.8 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2121289 - CVE-2021-33643 libtar: out-of-bounds read in gnu_longlink\n2121292 - CVE-2021-33644 libtar: out-of-bounds read in gnu_longname\n2121295 - CVE-2021-33645 libtar: memory leak found in th_read() function\n2121297 - CVE-2021-33646 libtar: memory leak found in th_read() function\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 8):\n\nSource:\nlibtar-1.2.20-17.el8.src.rpm\n\naarch64:\nlibtar-1.2.20-17.el8.aarch64.rpm\nlibtar-debuginfo-1.2.20-17.el8.aarch64.rpm\nlibtar-debugsource-1.2.20-17.el8.aarch64.rpm\n\nppc64le:\nlibtar-1.2.20-17.el8.ppc64le.rpm\nlibtar-debuginfo-1.2.20-17.el8.ppc64le.rpm\nlibtar-debugsource-1.2.20-17.el8.ppc64le.rpm\n\ns390x:\nlibtar-1.2.20-17.el8.s390x.rpm\nlibtar-debuginfo-1.2.20-17.el8.s390x.rpm\nlibtar-debugsource-1.2.20-17.el8.s390x.rpm\n\nx86_64:\nlibtar-1.2.20-17.el8.i686.rpm\nlibtar-1.2.20-17.el8.x86_64.rpm\nlibtar-debuginfo-1.2.20-17.el8.i686.rpm\nlibtar-debuginfo-1.2.20-17.el8.x86_64.rpm\nlibtar-debugsource-1.2.20-17.el8.i686.rpm\nlibtar-debugsource-1.2.20-17.el8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-33643\nhttps://access.redhat.com/security/cve/CVE-2021-33644\nhttps://access.redhat.com/security/cve/CVE-2021-33645\nhttps://access.redhat.com/security/cve/CVE-2021-33646\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZGNwdNzjgjWX9erEAQjfPw//SoG/pVemP1peDGxUFDfBMBbldrFWpNro\nTe4tTe3YAkVgQgtnGZ8n3Arlrryk+3wfgQj3u9gdUj1w14YyEZC8hpWLCXI5iw/P\nUl4dHHOnO0UW568dkaqUeJjl02o2ugRp2RZVt14yuZqLKmF9WCJW7lCZQLoqCIVp\n7P3vZOQBlyU6BuGXO4Th86fpLDEZCboBQDA2QeNFvt+qNwvNxgb3A05217tfXnZ4\nEpltZPIrl8pzEmmWA09XeFgIm5GXNiWjjR/fF3OHSgQ9cmXnafxWSBNiDlzHNQCk\n0/z5gcvl+BJLceQoZBo6hdldHCiOF20jCxr8Nb/3sSJ+zAqQqqNsnDQ1TGs2GMDz\nMx5JECSk0p79MMKR0mrP2NbCqxqEsqOkjinIa0PDlKNPFbEikA4l7fXu58KyHsr/\nV9otYHvD1ilS7cTw1FGi198oodCofA+euZCQBNnWuFbnrCo1cyRBN6mjCMZwDgww\nZhNWOUvAmkhtC5ebBb8zuMJ73ojSwiv886kJbEjDlG7SDGbMPHxEAgTHWZp5l+jw\nz36m+SegsAXE/UKHRYTFriRA5p1pyq/AVUMwhMXvQhwwNxPl2wsaUOJGFBw3Fu3n\nbAFXpxAngQvELHEFOtmL9fzbnFo93OTkvuz9tJpbvNOCmDBJJEN6Znhic0iWzT0p\nkHiakPvkvj4=I+bk\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33644"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"db": "VULHUB",
"id": "VHN-393722"
},
{
"db": "PACKETSTORM",
"id": "172362"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-33644",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020153",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2779",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-393722",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172362",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393722"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2779"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"db": "NVD",
"id": "CVE-2021-33644"
}
]
},
"id": "VAR-202208-0945",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-393722"
}
],
"trust": 0.01
},
"last_update_date": "2025-11-18T15:06:15.749000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "openEuler Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=204268"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2779"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.1
},
{
"problemtype": "Out-of-bounds read (CWE-125) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393722"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"db": "NVD",
"id": "CVE-2021-33644"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openeuler-sa-2022-1807"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7q26qdnojdofywmjweik5xr62m2ff6ij/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/od4hebsti22fnykokk7w3x6zqe6fv3xc/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4s4pjrcjleawn2ekxglsobtl7o57v7nc/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7wx5ye66ct7y5c2hthxsfdkqwywywj2t/"
},
{
"trust": 1.5,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5yshzy753r7xw6cikjvawi373ww3yrrj/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4s4pjrcjleawn2ekxglsobtl7o57v7nc/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7q26qdnojdofywmjweik5xr62m2ff6ij/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7wx5ye66ct7y5c2hthxsfdkqwywywj2t/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/od4hebsti22fnykokk7w3x6zqe6fv3xc/"
},
{
"trust": 1.0,
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5yshzy753r7xw6cikjvawi373ww3yrrj/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33644"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/libtar-four-vulnerabilities-39176"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2021-33644/"
},
{
"trust": 0.1,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33643"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:2898"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33646"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33646"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33644"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33643"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33645"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33645"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393722"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2779"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"db": "NVD",
"id": "CVE-2021-33644"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-393722"
},
{
"db": "PACKETSTORM",
"id": "172362"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2779"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"db": "NVD",
"id": "CVE-2021-33644"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-10T00:00:00",
"db": "VULHUB",
"id": "VHN-393722"
},
{
"date": "2023-05-16T17:07:39",
"db": "PACKETSTORM",
"id": "172362"
},
{
"date": "2022-08-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2779"
},
{
"date": "2023-09-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"date": "2022-08-10T20:15:20.517000",
"db": "NVD",
"id": "CVE-2021-33644"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-11T00:00:00",
"db": "VULHUB",
"id": "VHN-393722"
},
{
"date": "2022-12-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2779"
},
{
"date": "2023-09-19T08:11:00",
"db": "JVNDB",
"id": "JVNDB-2021-020153"
},
{
"date": "2025-11-03T21:15:41.270000",
"db": "NVD",
"id": "CVE-2021-33644"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2779"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "feep.net\u00a0 of \u00a0libtar\u00a0 Out-of-Bounds Read Vulnerability in Other Vendors\u0027 Products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-020153"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2779"
}
],
"trust": 0.6
}
}
CVE-2021-33646 (GCVE-0-2021-33646)
Vulnerability from nvd – Published: 2022-08-09 00:00 – Updated: 2025-11-03 20:33
VLAI?
Summary
The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.
Severity ?
No CVSS data available.
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:33:40.032Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libtar",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c1.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The th_read() function doesn\u2019t free a variable t-\u003eth_buf.gnu_longname after allocating memory, which may cause a memory leak."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:00:00.000Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2021-33646",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2021-05-28T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:33:40.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-33645 (GCVE-0-2021-33645)
Vulnerability from nvd – Published: 2022-08-09 00:00 – Updated: 2025-11-03 20:33
VLAI?
Summary
The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.
Severity ?
No CVSS data available.
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:33:38.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libtar",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c1.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The th_read() function doesn\u2019t free a variable t-\u003eth_buf.gnu_longlink after allocating memory, which may cause a memory leak."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:00:00.000Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2021-33645",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2021-05-28T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:33:38.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-33644 (GCVE-0-2021-33644)
Vulnerability from nvd – Published: 2022-08-09 00:00 – Updated: 2025-11-03 20:33
VLAI?
Summary
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.
Severity ?
No CVSS data available.
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:33:37.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libtar",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c1.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:00:00.000Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2021-33644",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2021-05-28T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:33:37.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-33643 (GCVE-0-2021-33643)
Vulnerability from nvd – Published: 2022-08-09 00:00 – Updated: 2025-11-03 20:33
VLAI?
Summary
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.
Severity ?
No CVSS data available.
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:33:35.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libtar",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c1.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:00:00.000Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2021-33643",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2021-05-28T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:33:35.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-4420 (GCVE-0-2013-4420)
Vulnerability from nvd – Published: 2014-02-20 16:00 – Updated: 2024-08-06 16:45
VLAI?
Summary
Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Date Public ?
2013-12-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860"
},
{
"name": "DSA-2863",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2863"
},
{
"name": "[libtar] 20150213 Fw: Re: Validation of file names",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-12-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-02-20T13:57:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860"
},
{
"name": "DSA-2863",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2863"
},
{
"name": "[libtar] 20150213 Fw: Re: Validation of file names",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4420",
"datePublished": "2014-02-20T16:00:00.000Z",
"dateReserved": "2013-06-12T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:45:14.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4397 (GCVE-0-2013-4397)
Vulnerability from nvd – Published: 2013-10-17 23:00 – Updated: 2024-08-06 16:45
VLAI?
Summary
Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
Date Public ?
2013-10-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[libtar] 20131009 ANNOUNCE: libtar version 1.2.20",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.feep.net:8080/pipermail/libtar/2013-October/000361.html"
},
{
"name": "RHSA-2013:1418",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1418.html"
},
{
"name": "55253",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55253"
},
{
"name": "1029166",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1029166"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://source.android.com/security/bulletin/2018-01-01"
},
{
"name": "[oss-security] 20131010 Re: Integer overflow in libtar (\u003c= 1.2.19)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/10/6"
},
{
"name": "55188",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55188"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://repo.or.cz/w/libtar.git/commitdiff/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04"
},
{
"name": "1040106",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040106"
},
{
"name": "DSA-2817",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2013/dsa-2817"
},
{
"name": "62922",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62922"
},
{
"name": "[oss-security] 20131010 Integer overflow in libtar (\u003c= 1.2.19)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/10/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-12T22:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[libtar] 20131009 ANNOUNCE: libtar version 1.2.20",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.feep.net:8080/pipermail/libtar/2013-October/000361.html"
},
{
"name": "RHSA-2013:1418",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1418.html"
},
{
"name": "55253",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55253"
},
{
"name": "1029166",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1029166"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://source.android.com/security/bulletin/2018-01-01"
},
{
"name": "[oss-security] 20131010 Re: Integer overflow in libtar (\u003c= 1.2.19)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/10/6"
},
{
"name": "55188",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55188"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://repo.or.cz/w/libtar.git/commitdiff/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04"
},
{
"name": "1040106",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040106"
},
{
"name": "DSA-2817",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2013/dsa-2817"
},
{
"name": "62922",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/62922"
},
{
"name": "[oss-security] 20131010 Integer overflow in libtar (\u003c= 1.2.19)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/10/4"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4397",
"datePublished": "2013-10-17T23:00:00.000Z",
"dateReserved": "2013-06-12T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:45:14.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33646 (GCVE-0-2021-33646)
Vulnerability from cvelistv5 – Published: 2022-08-09 00:00 – Updated: 2025-11-03 20:33
VLAI?
Summary
The th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.
Severity ?
No CVSS data available.
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:33:40.032Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libtar",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c1.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The th_read() function doesn\u2019t free a variable t-\u003eth_buf.gnu_longname after allocating memory, which may cause a memory leak."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:00:00.000Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2021-33646",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2021-05-28T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:33:40.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-33644 (GCVE-0-2021-33644)
Vulnerability from cvelistv5 – Published: 2022-08-09 00:00 – Updated: 2025-11-03 20:33
VLAI?
Summary
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.
Severity ?
No CVSS data available.
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:33:37.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libtar",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c1.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:00:00.000Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2021-33644",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2021-05-28T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:33:37.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-33643 (GCVE-0-2021-33643)
Vulnerability from cvelistv5 – Published: 2022-08-09 00:00 – Updated: 2025-11-03 20:33
VLAI?
Summary
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.
Severity ?
No CVSS data available.
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:33:35.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libtar",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c1.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:00:00.000Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2021-33643",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2021-05-28T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:33:35.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-33645 (GCVE-0-2021-33645)
Vulnerability from cvelistv5 – Published: 2022-08-09 00:00 – Updated: 2025-11-03 20:33
VLAI?
Summary
The th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.
Severity ?
No CVSS data available.
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:33:38.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00026.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libtar",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c1.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The th_read() function doesn\u2019t free a variable t-\u003eth_buf.gnu_longlink after allocating memory, which may cause a memory leak."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-28T00:00:00.000Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1807"
},
{
"name": "FEDORA-2022-fe1a4e3cf0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YSHZY753R7XW6CIKJVAWI373WW3YRRJ/"
},
{
"name": "FEDORA-2022-50e8a1b51d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD4HEBSTI22FNYKOKK7W3X6ZQE6FV3XC/"
},
{
"name": "FEDORA-2022-44a20bba43",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7Q26QDNOJDOFYWMJWEIK5XR62M2FF6IJ/"
},
{
"name": "FEDORA-2022-88772d0a2d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S4PJRCJLEAWN2EKXGLSOBTL7O57V7NC/"
},
{
"name": "FEDORA-2022-ccc68b06cc",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WX5YE66CT7Y5C2HTHXSFDKQWYWYWJ2T/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2021-33645",
"datePublished": "2022-08-09T00:00:00.000Z",
"dateReserved": "2021-05-28T00:00:00.000Z",
"dateUpdated": "2025-11-03T20:33:38.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-4420 (GCVE-0-2013-4420)
Vulnerability from cvelistv5 – Published: 2014-02-20 16:00 – Updated: 2024-08-06 16:45
VLAI?
Summary
Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Date Public ?
2013-12-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860"
},
{
"name": "DSA-2863",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2863"
},
{
"name": "[libtar] 20150213 Fw: Re: Validation of file names",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-12-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in the (1) tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 and earlier allow remote attackers to overwrite arbitrary files via a .. (dot dot) in a crafted tar file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-02-20T13:57:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860"
},
{
"name": "DSA-2863",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2863"
},
{
"name": "[libtar] 20150213 Fw: Re: Validation of file names",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.feep.net:8080/pipermail/libtar/2014-February/000403.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4420",
"datePublished": "2014-02-20T16:00:00.000Z",
"dateReserved": "2013-06-12T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:45:14.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4397 (GCVE-0-2013-4397)
Vulnerability from cvelistv5 – Published: 2013-10-17 23:00 – Updated: 2024-08-06 16:45
VLAI?
Summary
Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
Date Public ?
2013-10-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[libtar] 20131009 ANNOUNCE: libtar version 1.2.20",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.feep.net:8080/pipermail/libtar/2013-October/000361.html"
},
{
"name": "RHSA-2013:1418",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1418.html"
},
{
"name": "55253",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55253"
},
{
"name": "1029166",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1029166"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://source.android.com/security/bulletin/2018-01-01"
},
{
"name": "[oss-security] 20131010 Re: Integer overflow in libtar (\u003c= 1.2.19)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/10/6"
},
{
"name": "55188",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55188"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://repo.or.cz/w/libtar.git/commitdiff/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04"
},
{
"name": "1040106",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040106"
},
{
"name": "DSA-2817",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2013/dsa-2817"
},
{
"name": "62922",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62922"
},
{
"name": "[oss-security] 20131010 Integer overflow in libtar (\u003c= 1.2.19)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/10/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-12T22:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[libtar] 20131009 ANNOUNCE: libtar version 1.2.20",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.feep.net:8080/pipermail/libtar/2013-October/000361.html"
},
{
"name": "RHSA-2013:1418",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1418.html"
},
{
"name": "55253",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55253"
},
{
"name": "1029166",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1029166"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://source.android.com/security/bulletin/2018-01-01"
},
{
"name": "[oss-security] 20131010 Re: Integer overflow in libtar (\u003c= 1.2.19)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/10/6"
},
{
"name": "55188",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55188"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://repo.or.cz/w/libtar.git/commitdiff/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04"
},
{
"name": "1040106",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040106"
},
{
"name": "DSA-2817",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2013/dsa-2817"
},
{
"name": "62922",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/62922"
},
{
"name": "[oss-security] 20131010 Integer overflow in libtar (\u003c= 1.2.19)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/10/10/4"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4397",
"datePublished": "2013-10-17T23:00:00.000Z",
"dateReserved": "2013-06-12T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:45:14.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}