Control: tags -1 + fixed-upstream On Wed, Dec 26, 2018 at 09:57:29PM +0100, Salvatore Bonaccorso wrote: > Source: tar > Version: 1.30+dfsg-3 > Severity: important > Tags: security upstream > > Hi, > > The following vulnerability was published for tar. > > CVE-2018-20482[0]: > | GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage > | during read access, which allows local users to cause a denial of > | service (infinite read loop in sparse_dump_region in sparse.c) by > | modifying a file that is supposed to be archived by a different user's > | process (e.g., a system backup running as root).
This has been fixed upstream, I think this would be good to have already fixed in buster in time. It does not look severe enought for stretch to have a DSA for it, but it might be good to fix this issue as well in stable via a point release. Regards, Salvatore
