CVE-2022-48303 - Addressing the One-Byte Out-of-Bounds Read in GNU Tar 1.34

The Common Vulnerabilities and Exposures (CVE) system has assigned the identifier CVE-2022-48303 to a recently discovered one-byte out-of-bounds read vulnerability in the GNU Tar utility. This vulnerability is specific to versions up to and including 1.34 of GNU Tar. In this post, we'll examine the root cause of this vulnerability, discuss the affected code snippet, and provide references for users to gain more context.

Please note that while the exploitation of this vulnerability to alter control flow has not been demonstrated, it's important to be aware of the issue and apply any appropriate updates or patches as they become available.

Background

GNU Tar is a widely-used utility for creating and extracting archive files. The vulnerability we're discussing stems from the processing of archive headers. Specifically, it occurs in the from_header function found in the list.c file when parsing the metadata stored in the V7 archive format. The issue arises when the modification time (mtime) field of this header contains approximately 11 whitespace characters.

Here's the affected code snippet from the list.c file in GNU Tar 1.34

static void
from_header(struct tar_stat_info *st, union block *header, char *arg)
{
  [...]

  st->stat.st_mtime = from_oct(1 + 12, header->header.mtime);
  [...]

}

In the above code snippet, from_oct is supposed to read 12 bytes from the mtime field of the archive header. However, due to an off-by-one error, the function reads 13 bytes instead of 12. This results in reading one byte past the intended boundary, leading to the one-byte out-of-bounds read vulnerability.

Exploit Details

As mentioned earlier, this vulnerability hasn't been exploited to change the control flow. Nonetheless, it results in the use of uninitialized memory for a conditional jump, which might potentially lead to issues such as information leakage or undefined behavior.

To exploit this vulnerability, an attacker would need to craft a malicious V7 archive file with approximately 11 whitespace characters in the mtime field. When the victim extracts or lists the contents of this malicious archive using GNU Tar 1.34 or earlier, the one-byte out-of-bounds read error would occur.

More information about this vulnerability can be found in the following sources

1. CVE-2022-48303: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48303
2. GNU Tar: https://www.gnu.org/software/tar/
3. GNU Tar 1.34 source code: https://ftp.gnu.org/gnu/tar/tar-1.34.tar.xz
4. V7 Archive format description: https://en.wikipedia.org/wiki/Tar_(computing)#V7

Conclusion

While the CVE-2022-48303 vulnerability in GNU Tar 1.34 hasn't been shown to result in control flow manipulation, it's still important for users to keep an eye on updates and potential patches. We hope this post provided a clear understanding of the issue and its consequences. Be sure to consult the original references for further details and stay tuned for any updates on this vulnerability.

Timeline

Published on: 01/30/2023 04:15:00 UTC
Last modified on: 03/27/2023 00:15:00 UTC