ID CVE-2013-4397
Summary Multiple integer overflows in the th_read function in lib/block.c in libtar before 1.2.20 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) name or (2) link in an archive, which triggers a heap-based buffer overflow.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:-:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:-:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:feep:libtar:1.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:feep:libtar:1.2.19:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 13-02-2023 - 04:46)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1014492
title CVE-2013-4397 libtar: Heap-based buffer overflows by expanding a specially-crafted archive
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 6 is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • comment libtar is earlier than 0:1.2.11-17.el6_4.1
          oval oval:com.redhat.rhsa:tst:20131418001
        • comment libtar is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131418002
      • AND
        • comment libtar-devel is earlier than 0:1.2.11-17.el6_4.1
          oval oval:com.redhat.rhsa:tst:20131418003
        • comment libtar-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131418004
rhsa
id RHSA-2013:1418
released 2013-10-10
severity Moderate
title RHSA-2013:1418: libtar security update (Moderate)
rpms
  • libtar-0:1.2.11-17.el6_4.1
  • libtar-debuginfo-0:1.2.11-17.el6_4.1
  • libtar-devel-0:1.2.11-17.el6_4.1
refmap via4
bid 62922
confirm
debian DSA-2817
mlist
  • [libtar] 20131009 ANNOUNCE: libtar version 1.2.20
  • [oss-security] 20131010 Integer overflow in libtar (<= 1.2.19)
  • [oss-security] 20131010 Re: Integer overflow in libtar (<= 1.2.19)
sectrack
  • 1029166
  • 1040106
secunia
  • 55188
  • 55253
Last major update 13-02-2023 - 04:46
Published 17-10-2013 - 23:55
Last modified 13-02-2023 - 04:46
Back to Top