The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Google Android Lollipop

computer vulnerability bulletin CVE-2013-4397

libtar: integer overflow of th_read

Synthesis of the vulnerability

An attacker can generate an integer overflow in the th_read() function of libtar, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Android OS, RHEL, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 10/10/2013.
Identifiers: CVE-2013-4397, DSA-2817-1, FEDORA-2013-18785, FEDORA-2013-18808, MDVSA-2013:253, RHSA-2013:1418-01, SOL16015326, VIGILANCE-VUL-13578.

Description of the vulnerability

The libtar library is used to extract TAR archives.

The th_read() function of the lib/block.c file reads headers of TAR blocks. However, if fields from the TAR file are too large, a multiplication overflows, and an allocated memory area is too short.

An attacker can therefore generate an integer overflow in the th_read() function of libtar, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Google Android Lollipop: