Your submission was sent successfully! Close

CVE-2021-20193

Published: 26 March 2021

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.

Notes

AuthorNote
sbeattie
the tar command failed to free memory. As this is a command
line tool denial of service, this has been rated as priority low
Priority

Low

CVSS 3 base score: 5.5

Status

Package Release Status
tar
Launchpad, Ubuntu, Debian
bionic
Released (1.29b-2ubuntu0.3)
focal
Released (1.30+dfsg-7ubuntu0.20.04.2)
groovy Ignored
(reached end-of-life)
hirsute
Released (1.34+dfsg-1build1)
impish
Released (1.34+dfsg-1build1)
jammy Needs triage

precise Ignored
(end of ESM support, was needs-triage)
trusty
Released (1.27.1-1ubuntu0.1+esm2)
upstream
Released (1.34)
xenial
Released (1.28-2.1ubuntu0.2+esm1)
Patches:
upstream: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777