apk-tools: Out-of-bounds read during tar parsing (CVE-2021-30139)

apk performs insufficient sanity checks on tar entries. The code for parsing tar entries in apk assumes that the fields are null-terminated and uses string function on them without a prior check if null terminators are actually present. This will cause an out-of-bounds read when they are not. This code is run before the signature is validated.

Fixed In Version:

2.10.6, 2.12.5

Reference:

apk-tools#10741 (closed)

Affected branches:

• master (db442e9b)
• 3.13-stable (ac1b1085)
• 3.12-stable (66f28b64)
• 3.11-stable (5988744e)
• 3.10-stable (86b26945)