UbuntuUpdates.org

Package "tar"

Name: tar

Description:

GNU version of the tar archiving utility
Latest version: 1.34+dfsg-1ubuntu0.1.22.04.3
Release: jammy (22.04)
Level: security
Repository: main
Homepage: https://www.gnu.org/software/tar/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "tar"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "tar" in Jammy

Repository Area Version
base main 1.34+dfsg-1build3
base universe 1.34+dfsg-1build3
security universe 1.34+dfsg-1ubuntu0.1.22.04.3
updates main 1.34+dfsg-1ubuntu0.1.22.04.3
updates universe 1.34+dfsg-1ubuntu0.1.22.04.3

Changelog

Version: 1.34+dfsg-1ubuntu0.1.22.04.3 2026-06-25 22:07:28 UTC

  tar (1.34+dfsg-1ubuntu0.1.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: file injection via crafted archive
    - debian/patches/CVE-2026-5704.patch: always call skip_member() after
      extraction in extract_archive(), remove conditional skip_member()
      from purge_directory(), skip directory data in skim_member(), and
      stop forcing LNKTYPE size to zero in read_header().
    - CVE-2026-5704

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 19 Jun 2026 13:40:04 -0300
Source diff to previous version
CVE-2026-5704 A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fu

Version: 1.34+dfsg-1ubuntu0.1.22.04.2 2023-12-11 13:09:00 UTC

  tar (1.34+dfsg-1ubuntu0.1.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: stack overflow via crafted xattr (LP: #2029464)
    - debian/patches/CVE-2023-39804.patch: allocate xattr keys and values
      on the heap rather than the stack in src/xheader.c
    - CVE-2023-39804

 -- Alex Murray <email address hidden> Tue, 05 Dec 2023 15:45:51 +1030
Source diff to previous version
2029464 A stack overflow in GNU Tar

Version: 1.34+dfsg-1ubuntu0.1.22.04.1 2023-02-28 19:06:58 UTC

  tar (1.34+dfsg-1ubuntu0.1.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: one-byte out of bounds
    - debian/patches/CVE-2022-48303.patch: check limit in
      src/list.c.
    - CVE-2022-48303

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 15 Feb 2023 12:45:50 -0300
CVE-2022-48303 GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the


About   -   Send Feedback to @ubuntu_updates