CVE-2018-20482
First published: Wed Dec 26 2018(Updated: )
GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU tar | <=1.30 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| openSUSE Leap | =15.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454
- http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html
- http://www.securityfocus.com/bid/106354
- https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html
- https://lists.debian.org/debian-lts-announce/2021/11/msg00025.html
- https://news.ycombinator.com/item?id=18745431
- https://security.gentoo.org/glsa/201903-05
- https://twitter.com/thatcks/status/1076166645708668928
- https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug
Frequently Asked Questions
What is the severity of CVE-2018-20482?
The severity of CVE-2018-20482 is medium with a CVSS severity score of 4.7.
How does CVE-2018-20482 affect GNU Tar?
CVE-2018-20482 affects GNU Tar versions up to and including 1.30 when the --sparse option is used.
How does CVE-2018-20482 impact Debian Debian Linux 8.0?
CVE-2018-20482 impacts Debian Debian Linux 8.0.
How can a local user exploit CVE-2018-20482?
A local user can exploit CVE-2018-20482 by modifying a file that is supposed to be archived by a different user's process, causing a denial of service with an infinite read loop in sparse_dump_region in sparse.c.
Are there any fixes available for CVE-2018-20482?
Yes, fixes are available for CVE-2018-20482. It is recommended to update GNU Tar to a version higher than 1.30.
- collector/nvd-index
- agent/weakness
- agent/references
- agent/type
- agent/event
- agent/severity
- agent/author
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/gnu
- canonical/gnu tar
- version/gnu tar/1.30
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0