apk-tools: Out-of-bounds read during tar parsing (CVE-2021-30139)
apk performs insufficient sanity checks on tar entries. The code for parsing tar entries in apk assumes that the fields are null-terminated and uses string function on them without a prior check if null terminators are actually present. This will cause an out-of-bounds read when they are not. This code is run before the signature is validated.
Fixed In Version:
2.10.6, 2.12.5
Reference:
Affected branches:
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information