From d4d483451f0a305781b94b96c15a6cf4b489cd84 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sun, 1 Oct 2023 16:23:56 +0200 Subject: [PATCH] package/tar: security bump to version 1.35 - Fix CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. - Update hash of COPYING (http replaced by https) https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard --- package/tar/tar.hash | 6 +++--- package/tar/tar.mk | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/tar/tar.hash b/package/tar/tar.hash index 1914a9f3b4..108a95ee62 100644 --- a/package/tar/tar.hash +++ b/package/tar/tar.hash @@ -1,4 +1,4 @@ # Locally calculated after checking signature -sha256 63bebd26879c5e1eea4352f0d03c991f966aeb3ddeb3c7445c902568d5411d28 tar-1.34.tar.xz -sha256 51337b19c71df92cd4f51c50efe4dc6ddc267d31fd54679be9e9bc2e6ce8132b tar-1.34.cpio.gz -sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING +sha256 4d62ff37342ec7aed748535323930c7cf94acf71c3591882b26a7ea50f3edc16 tar-1.35.tar.xz +sha256 c77a38fcf25b21fd8209d20d35638744344ded239cfc7df80138bf46d3c6b16d tar-1.35.cpio.gz +sha256 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986 COPYING diff --git a/package/tar/tar.mk b/package/tar/tar.mk index 690a5952ba..eea112ebc7 100644 --- a/package/tar/tar.mk +++ b/package/tar/tar.mk @@ -4,7 +4,7 @@ # ################################################################################ -TAR_VERSION = 1.34 +TAR_VERSION = 1.35 TAR_SOURCE = tar-$(TAR_VERSION).tar.xz TAR_SITE = $(BR2_GNU_MIRROR)/tar # busybox installs in /bin, so we need tar to install as well in /bin