upstream fix

About this tag
The upstream fix tag on WindowsForum.com covers discussions about software patches that originate from a project's official source code repository before being backported to distributions. A key example is the GNU Tar CVE-2022-48303, a one-byte memory safety bug in versions through 1.34 that was fixed upstream but required downstream Linux distributions and embedded products to issue their own advisories and patches. Topics include the nature of the vulnerability, the upstream patch, and the downstream rollout process. This tag is relevant for users tracking how security fixes flow from open-source projects to end-user systems.
  1. GNU Tar CVE-2022-48303: One-byte memory safety bug and its patch

    GNU Tar’s handling of an old V7 archive format triggered a subtle memory-safety problem that quietly landed in the CVE lists: CVE-2022-48303 is a one‑byte out‑of‑bounds read in GNU Tar through version 1.34 that can cause use of uninitialized memory during a conditional jump — a bug that was...