From 491b59fbd71c094771b4558dda4f8d9148cf802a Mon Sep 17 00:00:00 2001
From: wangjiang <wangjiang37@h-partners.com>
Date: Wed, 8 Feb 2023 15:34:11 +0800
Subject: [PATCH] fix CVE-2022-48303

(cherry picked from commit d52f82a727ae31ec1883fa40a7cd64923c9e7316)
---
 backport-CVE-2022-48303.patch | 31 +++++++++++++++++++++++++++++++
 tar.spec                      |  6 +++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-48303.patch

diff --git a/backport-CVE-2022-48303.patch b/backport-CVE-2022-48303.patch
new file mode 100644
index 0000000..a188978
--- /dev/null
+++ b/backport-CVE-2022-48303.patch
@@ -0,0 +1,31 @@
+From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001
+From: Matej Mužila <mmuzila@gmail.com>
+Date: Wed, 11 Jan 2023 08:55:58 +0100
+Subject: [PATCH] Fix savannah bug #62387
+
+* src/list.c (from_header): Check for the end of field after leading byte
+  (0x80 or 0xff) of base-256 encoded header value
+---
+ src/list.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..bf41b581 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -899,6 +899,12 @@ from_header (char const *where0, size_t digs, char const *type,
+ 			   << (CHAR_BIT * sizeof (uintmax_t)
+ 			       - LG_256 - (LG_256 - 2)));
+       value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit;
++      if (where == lim)
++        {
++          if (type && !silent)
++            ERROR ((0, 0, _("Archive base-256 value is invalid")));
++          return -1;
++        }
+       for (;;)
+ 	{
+ 	  value = (value << LG_256) + (unsigned char) *where++;
+-- 
+2.38.1
+
diff --git a/tar.spec b/tar.spec
index ec75682..562f936 100644
--- a/tar.spec
+++ b/tar.spec
@@ -1,6 +1,6 @@
 Name:          tar
 Version:       1.32
-Release:       2
+Release:       3
 Epoch:         2
 Summary:       An organized and systematic method of controlling a large amount of data
 License:       GPLv3+
@@ -9,6 +9,7 @@ Source0:       https://ftp.gnu.org/gnu/tar/tar-%{version}.tar.xz
 Source1:       https://ftp.gnu.org/gnu/tar/tar-%{version}.tar.xz.sig
 
 Patch6000:     backport-CVE-2021-20193.patch
+Patch6001:     backport-CVE-2022-48303.patch
 
 BuildRequires: autoconf automake texinfo gettext libacl-devel attr acl policycoreutils
 Provides:      bundled(gnulib) /bin/tar /bin/gtar
@@ -76,6 +77,9 @@ make check
 %{_infodir}/tar.info*
 
 %changelog
+* Wed Feb 08 2023 wangjiang <wangjiang37@h-partners.com> 2:1.32-3
+- fix CVE-2022-48303
+
 * Wed Apr 14 2021 shixuantong <shixuantong> - 2:1.32-2 
 - fix CVE-2021-20193
 
-- 
Gitee