ID CVE-2013-4397
Summary Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.19:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 22-04-2019 - 17:48)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1014492
title CVE-2013-4397 libtar: Heap-based buffer overflows by expanding a specially-crafted archive
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment libtar is earlier than 0:1.2.11-17.el6_4.1
        oval oval:com.redhat.rhsa:tst:20131418005
      • comment libtar is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20131418006
    • AND
      • comment libtar-devel is earlier than 0:1.2.11-17.el6_4.1
        oval oval:com.redhat.rhsa:tst:20131418007
      • comment libtar-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20131418008
rhsa
id RHSA-2013:1418
released 2013-10-10
severity Moderate
title RHSA-2013:1418: libtar security update (Moderate)
rpms
  • libtar-0:1.2.11-17.el6_4.1
  • libtar-devel-0:1.2.11-17.el6_4.1
refmap via4
bid 62922
confirm
debian DSA-2817
mlist
  • [libtar] 20131009 ANNOUNCE: libtar version 1.2.20
  • [oss-security] 20131010 Integer overflow in libtar (<= 1.2.19)
  • [oss-security] 20131010 Re: Integer overflow in libtar (<= 1.2.19)
sectrack
  • 1029166
  • 1040106
secunia
  • 55188
  • 55253
Last major update 22-04-2019 - 17:48
Published 17-10-2013 - 23:55
Back to Top