fix CVE-2022-48303

(cherry picked from commit 1f1003635ed4de8cbbea97d87c51a70f8893f27f)

backport-CVE-2022-48303.patch

@@ -0,0 +1,31 @@
+From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001
+From: Matej Mužila <mmuzila@gmail.com>
+Date: Wed, 11 Jan 2023 08:55:58 +0100
+Subject: [PATCH] Fix savannah bug #62387
+
+* src/list.c (from_header): Check for the end of field after leading byte
+  (0x80 or 0xff) of base-256 encoded header value
+---
+ src/list.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..bf41b581 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -899,6 +899,12 @@ from_header (char const *where0, size_t digs, char const *type,
+ 			   << (CHAR_BIT * sizeof (uintmax_t)
+ 			       - LG_256 - (LG_256 - 2)));
+       value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit;
++      if (where == lim)
++        {
++          if (type && !silent)
++            ERROR ((0, 0, _("Archive base-256 value is invalid")));
++          return -1;
++        }
+       for (;;)
+ 	{
+ 	  value = (value << LG_256) + (unsigned char) *where++;
+-- 
+2.38.1
+

tar.spec

@@ -1,6 +1,6 @@
 Name:          tar
 Version:       1.34
-Release:       3
+Release:       4
 Epoch:         2
 Summary:       An organized and systematic method of controlling a large amount of data
 License:       GPLv3+
@@ -12,6 +12,8 @@ BuildRequires: autoconf automake texinfo gettext libacl-devel attr acl policycor
 BuildRequires: gcc
 Provides:      bundled(gnulib) /bin/tar /bin/gtar
 
+Patch6000:     backport-CVE-2022-48303.patch
+
 Patch0001:     tar-1.28-loneZeroWarning.patch
 Patch0002:     tar-1.28-vfatTruncate.patch
 Patch0003:     tar-1.29-wildcards.patch
@@ -76,6 +78,9 @@ make check
 %{_infodir}/tar.info*
 
 %changelog
+* Wed Feb 08 2023 wangjiang <wangjiang37@h-partners.com> 2:1.34-4
+- fix CVE-2022-48303
+
 * Fri Nov 11 2022 wuzx<wuzx1226@qq.com> - 2:1.34-3
 - Add sw64 architecture